Create your GDPR Compliant survey, form, or poll now!
GDPR compliance starts with clear consent, transparent data use, and strong privacy practices. When creating surveys or forms, use explicit opt-ins, clear privacy notices, and secure platforms like SurveyLegend to protect EU user data and stay compliant with regulations, avoiding penalties and building user trust.
If you are creating forms or surveys for a business that is based in the European Union (EU), or if you collect and process the personal data of EU citizens, the European Union’s General Data Protection Regulation (GDPR) affects you.
The GDPR (General Data Protection Regulation) law basically says that:
- You must obtain freely given, specific, informed, and unambiguous consent from your respondents when you collect their personal data. In other words, you shall not force people to respond to or fill out your surveys or forms, or somehow trick them to collect their personal data.
- Additionally, must explain how you plan to use their personal data in a clear and easy-to-understand way.
- Also, as individuals have the right to be forgotten, you must delete information that you have collected from them if they request.
- Using a consent form is essential for GDPR compliance, as it records explicit user consent and provides transparency about data usage.
You can view the entire GDPR regulation here at EUR-lex in 24 official European languages, or check out the GDPR site.
When creating GDPR-compliant surveys, using customizable templates can help streamline the process and ensure your forms meet legal requirements. GDPR-compliant surveys must meet all GDPR requirements, including obtaining valid consent, providing clear privacy notices, and ensuring data security. Choosing a GDPR-compliant survey platform also helps you collect feedback securely and in accordance with the law.
So, as a SurveyLegend user, you’re already covered. But we have made this article for you to help you stay compliant with this law when you collect personal data using surveys or forms made with our solution. We’re not going to investigate GDPR line by line, because it’s 88 pages long. We just want to guide you through the must-know basics for collecting feedback. To collect feedback in a GDPR-compliant way, it’s important to use secure tools and follow best practices for privacy and consent.
Introduction to GDPR Compliance
The General Data Protection Regulation (GDPR) is the European Union’s gold standard for data privacy and protection. Designed to safeguard the personal data of natural persons—referred to as data subjects—GDPR compliance is essential for any organization that collects, processes, or transfers personal data belonging to EU residents, regardless of where the organization is based. The regulation sets out clear rules to ensure transparency, accountability, and user control over personal data.
To achieve GDPR compliance, organizations must appoint a Data Protection Officer (DPO) if their core activities involve large-scale processing of sensitive data or regular monitoring of data subjects. The DPO oversees all data protection activities and acts as a point of contact for both data subjects and supervisory authorities. Under the General Data Protection Regulation, data subjects have robust rights, including the ability to request access to their personal data, request rectification or erasure, restrict or object to processing, and exercise their right to data portability. These rights empower individuals to make informed decisions about their data and ensure organizations remain accountable for how they handle such data.
Whether you’re collecting survey responses, managing a user’s account, or transferring personal data across borders, understanding and implementing GDPR requirements is crucial for building trust and avoiding costly penalties.
Understanding GDPR Principles
At the heart of the GDPR are seven key principles that guide how organizations should handle personal data. These principles ensure that data subjects’ rights are respected and that organizations process personal data responsibly:
- Lawfulness, Fairness, and Transparency: Organizations must process personal data lawfully, fairly, and in a way that is transparent to data subjects. This means clearly informing individuals about how their data will be used and ensuring there is a valid lawful basis—such as consent, a statutory or contractual requirement, or legitimate interests—for processing personal data.
- Purpose Limitation: Personal data should only be collected for specific, explicit, and legitimate purposes. Organizations must not process data in ways that are incompatible with those original purposes.
- Data Minimization: Only the data that is necessary for the intended purpose should be collected and processed. This helps reduce risks and ensures that data subjects’ privacy is respected.
- Accuracy: Organizations must take reasonable steps to ensure that personal data is accurate and kept up to date. Inaccurate data should be corrected or deleted without delay.
- Storage Limitation: Personal data should not be kept for longer than necessary. Organizations must establish clear retention periods and securely delete or anonymize data when it is no longer needed.
- Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
- Accountability: Organizations are responsible for demonstrating compliance with all GDPR principles. This means keeping records of data processing activities and being able to show that data protection measures are in place.
By adhering to these principles, organizations can ensure that their data processing activities are both compliant and respectful of the rights and freedoms of data subjects.
Create your GDPR Compliant survey, form, or poll now!
Before you start
Here are some things to know before you begin this process.
- You can read detailed information about SurveyLegend’s GDPR Compliance here.
- Just because we SurveyLegend is compliant with GDPR does not automatically make you compliant too. We provide the infrastructure for you to conduct your research in a GDPR-compliant way. GDPR-compliant survey platforms often emphasize data ownership and control for users, ensuring that they have full authority over how their data is managed.
- How you handle your respondents’ personal data, which may be collected by means of our platform, is your responsibility.
- To collect consent from your own new and existing respondents, you personally must take action to obtain consent from the data subject before processing their data.
Before collecting any data, you must provide a GDPR privacy notice to inform respondents about how their data will be used and stored. When required, especially for sensitive data, obtaining explicit consent is necessary to ensure compliance. If your respondents are minors, you must secure consent from a legal guardian or obtain parental consent before collecting their data.
At SurveyLegend, trust is our number 1 value, and the protection of our customers’ data is paramount. Therefore, long before GDPR, we were trying to create an online survey solution with respect to your and your respondents’ privacy and security. Recently, thanks to the new GDPR legislation and clearer directions from the EU, we’ve updated parts of our system to fully comply with the new privacy protection law. It is important to always follow GDPR regulations when handling survey data to ensure your data collection practices meet legal standards.
Creating a GDPR Compliant Privacy Notice
A GDPR compliant privacy notice is a cornerstone of transparent data collection. This document informs data subjects about how their personal data will be processed, ensuring they are fully aware of their rights and how their information will be used. Privacy notices should avoid vague terms and use active voice to ensure clarity. To meet GDPR requirements, your privacy notice must be written in clear and plain language that is easy for anyone to understand—no legalese or confusing terms.
Your privacy notice should include essential information such as the identity and contact details of the data controller, the purposes and legal basis for processing personal data, and the rights of data subjects. Every organization that maintains a website should publish its privacy notice under the title ‘Privacy Policy.’ It must also provide the contact details of your Data Protection Officer and the relevant supervisory authority, so data subjects know where to turn if they have concerns about data protection.
Make sure your privacy notice is easily accessible at the point of data collection, such as on your web page or within your survey or form. Regularly review and update your privacy notice to reflect any changes in your data processing activities or relevant privacy laws. By providing a gdpr compliant privacy notice, you help data subjects make informed decisions and demonstrate your commitment to data protection.
Create your GDPR Compliant survey, form, or poll now!
In this article:
Some fundamental GDPR info
Honestly, nobody likes to be watched or followed without knowing who’s watching them and why; it’s creepy.
And yet many companies and organizations silently monitor us and collect data about us. We don’t know why they do it and what they want to do with it. We don’t know how they get hold of our personal information, how long they keep it, how they process it, with whom they share it, and what they can really understand from it. This is where the beloved GDPR laws are originating from, to protect everyone from nasty intentions, and also to teach us the magnitude of our responsibilities and to reflect how serious it is to collect and process personal information about people.
So, let’s be positive and welcome this law. It doesn’t have to be hard to be GDPR-compliant. Just a few new things to learn. So let’s start:
What is “Personal Data”
So, let’s see what “personal data” means.
The word “data” is pretty technical and has an ambiguous meaning. This PDF that the ICO provides can explain the legal definitions if you want to be very pedantic about it. Otherwise, we recommend that you be pragmatic and assume that, yes, your business does deal with data and especially Personal Data, as this is usually the case with forms and surveys.
Personal data, on the contrary, is easy to define:
data that relates to a living individual who can be identified:
- a) from those data, or
- b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller*.
Of course, a list of names and addresses can be considered as personal data. But if you have another list with pieces of information and a way to match that list with a list of names and addresses, that would also be considered as personal data.
There’s also a more specific category of personal data that you need to be more careful about, sensitive personal data, which is essentially any personal data that relates to:
Sensitive personal data is:
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- health (physical or mental)
- sexual activity
- genetic and biometric data
What is the processing of personal data?
Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.
Create your GDPR Compliant survey, form, or poll now!
Principles of processing personal data
Keep in mind that the way GDPR puts it, literally anything you do with the personal data means that you are processing it. Having that in mind, we go to Article 5 of the GDPR, which defines 6 principles for processing personal data:
- processed lawfully, fairly, and transparently;
- processed only for specified purposes, not for other purposes;
- collect as much as needed for what you intend to do and perform the job accurately, not more.
- accurate and up to date, if necessary, otherwise they must be erased or corrected;
- kept no longer than necessary;
- kept and processed securely.
Who is the “Data Controller”? And who is the “Data Processor”?
- Data Controller is any person who determines how and why (i.e., the business purpose) personal data will be processed;
- Data Processor: is any person who processes personal data on behalf of a data controller.
Keep in mind that when the act mentions persons, it’s actually talking about legal persons, which include most businesses. Therefore, a controller will be the business you work for, not you personally.
So, normally, when you do research and conduct surveys, you (your organization or company) are both data controller and data processor simultaneously. But sometimes you may want to outsource the processing of data to third parties. So you must make sure that your data processor is compliant.
Whilst our company (SurveyLegend) is a processor for all of our customers, we’re also a controller for our own employees, customers, and users’ data.
Is your data processor compliant?
So, let’s assume that you are hiring a data processor to improve your research process. Article 28 states that:
The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
So if we translate it to human language :) – it’s your responsibility to make sure that your data processors operate in a GDPR-compliant way. If you have a Data Protection Officer, ask them to check your supplier’s (processors’) privacy and security policies to ensure that they adhere to the GDPR (here are our terms and privacy policy and GDPR Compliance info). Additionally, based on the new rules, you must make certain that your processor has GDPR-compatible contracts in place with their own processors (sub-processors). This should be reflected in their policies clearly.
Transferring data outside the EU
The GDPR also puts up some restrictions on transferring data outside of the European Union. Only if “appropriate safeguards” such as privacy shield are in place can you let the data go out of the EU. Your processor should be able to explain where they store their data, and prove it’s either in the EU or another country, but covered by an agreement such as Privacy Shield. See ours here.
Create your GDPR Compliant survey, form, or poll now!
Individuals’ rights
The whole point of GDPR is that individuals own their own data. It’s not like before that companies “owned” your data and could do whatever they wanted with it, and the only choice we had was “deleting our account” if we didn’t want to use their services or didn’t like their policies. Even that wouldn’t give us back the data that we had shared with them up to that point.
So, because data is owned by the individuals, the law gives them the following rights:
- Access their personal data;
- Correct errors in their personal data;
- Erase their personal data;
- Object to the processing of their personal data;
- Export personal data.
Making your questionnaires GDPR-compliant
Now let’s see how you can apply all of these principles in your research practice and when conducting surveys.
To make your surveys or forms compliant with GDPR, you must do several things. So, here we must briefly review a few additional notions of “lawful processing”, “legitimate interest”, and “consent”.
Lawful processing
First of all, you must do a lawful processing of data. What is considered lawful is explained here in Article 6, subparagraph 1, if you want to challenge your skills of comprehending the English language. However, as we understand it, they are just trying to say that:
- When collecting personal data, your respondents must deliberately and willfully tell you that it is OK that you collect data about them, for the purposes that you clearly explain to them. In other words, they should give you consent.
- When collecting personal data, you (your organization or company) should be able to convincingly prove that collecting feedback is in your legitimate interest.
Legitimate interest
“Legitimate interests” means that it’s in your (and your customers’) interests to collect feedback, data, and their info. For example, to solve their problems or enhance your services.
Please note that the GDPR is extremely explicit at not letting organisations use the “legitimate interests” clause as an excuse for marketing activities. You may need to double-check this if you are doing Market Research activities. So, make sure your feedback processors and marketing folk have a thick wall in between.
Consent
Consent basically means getting permission for something you want to do, or agreeing with your individual respondents that you are going to collect their data. Consent must be “unambiguous”, and in the case of sensitive data, “explicit”. This means you cannot use dark patterns like pre-ticked checkboxes, or trick people somehow to agree with something that they don’t really understand what it is and what they are agreeing with!
The new law says:
“When the processing has multiple purposes, consent should be given for all of them”
also, your request [for consent] must be clear, brief and not disruptive to the use of the service for which it is provided.
So, just be sure you’re fully transparent about how and why you’re intend to use data in your research, and also make sure that you give people the chance to opt-out or ask you to delete their data if they change their minds.
Obtaining explicit consent in your surveys or forms
If you genuinely feel that your research and use of data are respectful of your respondents, then don’t feel that you need to obtain consent. Just make sure you’re completely transparent about “how” and “why” you’re planning to use data in your survey process. Also, give people the chance to contact you for further info or to opt out. If you do need to collect consent, consider using a consent form to record user agreement, which should clearly outline what data will be collected, how it will be used, and the process for withdrawing consent. For minors, you must obtain parental consent or approval from a legal guardian before collecting any data. You can present consent information using a pop-up on your website to engage users directly, and customizable templates can help you create clear and compliant consent forms or privacy notices. Otherwise, you must obtain consent.
It’s important to know that once you’ve gotten consent, you can’t double-back and use another base for processing. So if a respondent does not permit you and says “no”, you can’t then change your mind and send the survey anyway with the justification of “legitimate interests”, for instance. Opt-out surveys and legal considerations are crucial topics when planning data collection strategies.
Keep in mind that you must record how and when consent was given, because the GDPR says: Obtaining explicit consent is especially important for sensitive data or specific uses, ensuring that users are fully informed and agree to the terms. Users have the right to withdraw their consent at any time and must be informed of this right. Respondents also have the right to withdraw their consent at a later date, so you should provide clear instructions on how they can do so.
So if you decide that you need to obtain consent, here is how you can do this:
For collecting non-sensitive data
According to the GDPR, for non-sensitive data, you need “unambiguous, affirmative” consent, not “explicit” consent. Therefore, you can rely on a completely unmistakable notice along the lines for example:
“ By filling out this form, you agree that we will process your data in line with our our privacy policy ”
A good place to have this information in your questionnaires is the Welcome page. This feature allows you to add a starting screen for your surveys or forms, which can only include data, pictures, and a button to START the survey.
This article helps you write a proper Privacy Policy for your surveys.
This shows an example of getting consent for non-sensitive data in a survey, using a Welcome Page.
You provide clear information and put a note for getting consent. The amount of information that you provide here is up to you and your research case.
Optimally, you must explain personal data processed, the purpose of processing, the intended retention, subject rights, the source of data, and the conditions of processing.
The image above shows an example of getting consent for non-sensitive data in a survey, using a Welcome Page.
You provide clear information and put a note for getting consent. Note that this is just a simple example. The amount of information that you provide here and how you describe it is up to you and your research case.
Remember that you must explain personal data processed, the purpose of processing, the intended retention, subject rights, the source of data, and the conditions of processing. Of course, it can become a heavy start for a survey, and you don’t want to scare people. So, it’s good to keep it short and add a link to your privacy policy page, or a page that fully describes your research process.
You can easily link any piece of text to external pages, for example, to your “policy page” or a page that explains why and how you are doing this survey. Read more about adding links to your survey content.
It might also be a good idea to include a brief version or repeat this information at the end of the survey, using a Thank You Page.
People may perhaps change their minds after answering all the questions. So, you don’t want them to go back all the way to the beginning of the survey or reload it (and pollute your data) just to check the privacy policy page or your contact person’s info.
Sometimes we see people try to obtain consent at the end of the survey. For instance, they use a Section Break right at the end and tell people: “If you submit, you agree with our privacy terms and give us your consent.” Like the image below:
Don’t put this critical information at the end of the survey. First of all, our system collects data as people type. Secondly, people may miss it.
This might be a good idea for regular online forms, but when you use SurveyLegend, this strategy is not good for two reasons:
- SurveyLegend collects data as soon as respondents start typing or selecting choices. This is to ensure you will get even the unfinished surveys. Your respondents might get tired and just leave before submitting the survey.
- People might simply miss this. Because it is at the end of the survey. If the questionnaire is too long, they might not even see this, or due to being tired after answering all your questions, they may not pay enough attention. So this is against the regulation, which requires you to inform people clearly and transparently.
If you do it this way, you must manually filter and remove collected data from “un-submitted” participations.
Of course, none of these have to be included inside the survey itself. It depends on how you handle your survey process.
If you inform people via other ways in advance and have their consent, and if you are sure that they are informed before starting the survey, then don’t include them here. But remember that surveys are sent as links, so anyone can share them! Are you sure no one outside of your target group will receive the survey?
For analytical purposes, you might want to collect survey respondents’ IP-addresses; for example, to identify whether one person has participated in the same survey several times to affect the results. This feature is OFF by default in our tool, unless you manually enable it.
Keep in mind that IP addresses are considered personal data, particularly by the GDPR. Therefore collection of IP addresses without asking for permission from the respondents makes your questionnaire non-compliant with the General Data Protection Regulation!
If you want to enable this feature, we strongly recommend that you explain your policies and obtain consent from your respondents, because otherwise, your respondents will not have any way to know that you are collecting their IPs.
For collecting sensitive data:
According to the GDPR, to collect sensitive data, you need “explicit” consent.
As we already mentioned, individuals must understand clearly and unambiguously what they are giving permission to. Therefore, you must simply articulate your request and be specific.
What is important here is that consent should be given in the form of a clear affirmative action on the part of the data subject. In practical terms, this means asking for a positive “opt-in”. It also means that pre-ticked boxes should not be used before they start the survey.
So, after explaining your privacy policy and how / why of your research, you can start the survey by asking a first question like this one:
Use a Single Selection question (NOT a Multiple Selection question).
Make this question compulsory by enabling the Answer is required setting!
* Is it OK for us if we use your data, such as your health status, which you provide when filling out this questionnaire (in accordance with our privacy policy as explained in the beginning)?
- Yes
- No
Here you see that you are providing a clear “opt-in” possibility. Respondents must give you permission to use their data, since answering is required.
Perhaps you want to collect several pieces of sensitive data about your respondents. Therefore, it might easily become too much and too intimidating to describe why you need to collect each of them at the beginning of the survey.
So, do we have a nicer solution for this? Oh yes!
What you can do is to simply describe the way data will be used right under the question itself. SurveyLegend has a little nifty feature called Instructions For Respondents. Enabling this will add a piece of text with a smaller font size underneath the question text, where you can explain why you need the data.
Also, make sure to turn on the “Always visible instructions” setting, so that your respondents won’t miss your explanation. Here is an example of how it could look like:
What is your full name?
We need this to be able to verify your membership at our institute.
What is your email address?
We need your email to be able to send you information about your results of this survey.
What is your ethnic origin?
This information helps our organization to have better marketing campaigns and external communications, reaching the right audience.
This way, you are not only more transparent and more clear about your use of their data (which is in accordance with GDPR regulation), but also, it is easier for a human brain to process the information. It will be less scary and less intimidating to answer your questions.
Create your GDPR Compliant survey, form, or poll now!
What if they say NO?
It’s great to obtain the consent. But what if some people say NO?
If your respondent answers NO, yet they keep filling out the questionnaire; OR IF they say NO but have already answered some questions containing sensitive personal data, before answering this question (in case you didn’t put it right in the beginning) you must manually remove their data which is collected. Deleting data is your own responsibility and is done either using our deleting individual respondents feature, or you do it in your exported data and then delete the entire survey from your account.
If you keep data in different locations, for example by using our APIs to pull the data into your servers, or by exporting the data locally or to your Google Drive, you must remember that you may have several copies of the same data. Therefore, deleting responses from people who do not give you their consent, only from one of those places where you keep the data, is not enough. Make sure to delete every instance of the data.
Also, when your data retention period is over, you are expected to delete the collected data.
However, a better solution is to stop collecting their personal data as they fill out the questionnaire. Because the rest of the answers, which do not include any personal data, may still be interesting for you as a researcher. So why not keep that part and just throw away the personal data part?
To do so, you can easily use logic flows. Basically, what you need to do is to make a logic flow like this:
IF their answer is (No), THEN hide those questions that collect personal data.
answer to the following question* Is it OK for you, if we (in accordance with our privacy policy as explained in the beginning) use your personal data, such as your political opinion and ethnic background, which you provide in the 2 questions below?
is
- Yes
- No
hide
question(s)
What is your ethnic background?
Which political party did you vote for during the last two elections?Read more about adding logic to Single Selection questions, and about the Hide logic.
This way, those questions will be displayed by default (for clarity, place them right after this conditional question). But if the respondents select “No”, the questions will be hidden. And even if they have answered them before choosing “No”, that data will automatically be deleted from our servers. Therefore, you will never collect such data in your analytics. But you can still take advantage of the rest of the collected data.
Also, you can place this question anywhere in your survey, and it doesn’t have to be the first thing that respondents see.
Sharing collected data in a GDPR-friendly way
With SurveyLegend, you can export collected survey data in different formats and share it with 3rd parties (externally, not within our system).
However, the risk is that you may unintentionally expose personal or sensitive data in this way, because everything will be included in your exported data.
However, we offer a better way of sharing data in real-time, which does not expose any personally identifiable information to the viewers.
You can do so, simply by activating a public link to share your real time data, by going to the 
Live Analytics view, and clicking on the 
Share data menu.
Clicking on the Share Data button gives you options of sharing your surveys privately or publicly.
Our system automatically filters away all text-based questions and answers (which are normally the ones that contain personally identifiable data) and shows other questions and graphs to your visitors. They cannot see individual respondents or download the data. Additionally, no other info about individual respondents’ devices, cities, or countries is shown to them.
Learn more about sharing survey results in real time, in a GDPR-friendly way…
In case of a data breach
What happens if you figure out that there has been a data breach and your collected personal data has been exposed to third parties?
In such cases, you must comply with GDPR regulations by promptly notifying affected individuals about the breach. If minors are affected, their legal guardian must also be informed. Additionally, it is important to review and update your consent forms and GDPR privacy notice to ensure continued transparency and compliance after the breach.
Reporting to your respondents
If you identify that there is a “high risk to their rights and freedoms”, then you must notify your respondents too. In such cases, you should provide a GDPR privacy notice to affected individuals, clearly explaining the nature of the breach and how their data is being handled. You must also ensure that your notification process complies with GDPR. If any minors are affected, their legal guardian should also be notified.
For most types of feedback forms, it’s quite difficult to consider the data breach as high-risk. Unless you’re processing sensitive data, for example, if your business is in the health sector.
Will I have to pay a 20 million euro fine if something happens?
Almost certainly not! This €20,000,000 has been a hot headline, but this is for the absolute worst cases. There is also a lower fine of 10 million Euros, which is also for standard offenses.
According to the ICO’s news blog, fines are the last resort. The law is there to help (or sort of force) businesses to do the right thing and correct their structure. It’s to protect people. It is not about giving fines to small businesses here and there.
Fines are for the bad guys with bad intentions! You’re not one of them. You’re a legend, already finishing this article, because you want to do the right thing.
Following gdpr regulations is essential to avoid these penalties, as non-compliance can result in significant fines. The European Union’s enforcement of GDPR fines ensures that organizations take data privacy and security seriously.
If your organization has nothing to do with EU citizens
Many people wonder about this. Our company is not located in the EU. We’re not dealing with citizens of the European Union? Should we still care about GDPR?
The European Union’s General Data Protection Regulation (GDPR) has a global reach and can apply to organizations outside the EU if they process personal data of EU residents. Even if your organization is not based in the EU, you may still need to comply with GDPR regulations if you handle data from individuals in the EU. Providing a GDPR privacy notice to EU respondents is essential to ensure transparency and legal compliance.
Well, the short answer is: “usually not, but it depends”. However, the right answer is, “Of course you should!”.
Unlike the old law of the Data Protection Directive, the GDPR can apply to any globally operating company. It is not made just for those located in the EU.
Under the GDPR, organizations may be in scope if:
Even if your company is not established here, we recommend that you take the law very seriously and reform how you handle personal data in your organization.
The GDPR is about having a healthy digital culture in the company. It is about respecting the privacy of individuals. It is not about EU citizens.
The initiative has indeed taken place in the EU to protect its citizens. But first of all, how do you know when your own company will enforce similar laws? Isn’t it better to be ready for it already? Secondly, why not practice a better version of treatment for the personal information of people who trust you and give it to you? There is nothing wrong with that :)
And you never know, maybe someone from the EU answers your surveys and then… things go?
If, for some reason, you must treat citizens of other regions differently in your surveys when it comes to personal data collection, then use our survey logics, ask if they are from the EU, and if the answer is NO, do show or hide those questions that you must.
Disclaimer
This article is written in a simple way and can be used by most companies and researchers. We have tried to clarify what we have understood from GDPR when it comes to collecting data using Surveys, Forms, or online questionnaires.
However, every research case is different, and every company or organization may collect data (or personal data) for different purposes and in different ways.
Therefore, the precautions and practical tips that we suggest here may not be enough for some special cases. In such scenarios, it is important to provide a GDPR privacy notice to inform users about data processing activities and ensure transparency. For complex cases, always consult the relevant GDPR regulations to ensure your data collection practices are fully compliant.
Therefore, we strongly recommend that you consult a professional if your organization has access to a lawyer and you are in doubt about the way you collect and process your respondents’ data.
Please don’t hesitate to let us know if you find flaws in our article; together, we can make it even more GDPR-proof. So leave us some comments, don’t be shy.
Create your GDPR Compliant survey, form, or poll now!
FAQs (Frequently Asked Questions)
How can I make my survey GDPR compliant?
To make your survey GDPR compliant, you must obtain informed and unambiguous consent, provide a clear privacy notice, and ensure data security. Use tools like SurveyLegend that support consent forms, customizable templates, and logic flows for transparent data collection.
Do I need to collect explicit consent for every survey response?
Only if you’re collecting sensitive data (e.g., health, political views, biometrics). For non-sensitive data, “unambiguous, affirmative” consent is sufficient. Always inform respondents how their data will be used and offer the option to opt out or withdraw consent.
What should a GDPR-compliant privacy notice include?
A GDPR-compliant privacy notice must state the data controller’s identity, the purpose and legal basis for data processing, data retention policy, subject rights, and how to contact a Data Protection Officer. It should be written in clear, simple language.
What happens if a respondent withdraws consent or says no?
If consent is denied or withdrawn, you must stop processing that respondent’s personal data and delete any collected information. Using tools with logic flows, like SurveyLegend, helps automatically hide or delete sensitive questions in real-time based on the user’s input.
