Forms, GDPR, Online Survey, Security, Survey Examples

Your Ultimate Guide on How to Make GDPR-proof Surveys or Forms (with Examples)


If you are creating forms or surveys for a business which is based in the European Union (EU), or if you collect and process the personal data of EU citizens, the General Data Protection Regulation (GDPR) affects you.

The GDPR (General Data Protection Regulation) law basically says that:

  • you must obtain freely given, specific, informed, and unambiguous consent from your respondents when you collect their personal data. In other words, you shall not force people to respond to or fill out your surveys or forms, or somehow trick them to collect their personal data.
  • Additionally, must explain how you plan to use their personal data, in a clear and easy to understand way.
  • Also, as individuals have the right to be forgotten, you must delete information that you have collected from them if they request.

You can view the entire GDPR regulation here at EUR-lex in 24 official European languages, or check out the GDPR site.


So, as a SurveyLegend user you’re already covered. But we have made this article for you to help you stay compliant with this law when you collect personal data using surveys or forms made with our solution. We’re not going to investigate GDPR line by line, because it’s 88 pages long. We just want to guide you through the must-know basics for collecting feedback.

Before you start

Here are some things to know before you begin this process.

  • You can read detailed information about SurveyLegend’s GDPR Compliance here.
  • Just because we SurveyLegend is compliant with GDPR does not automatically make you compliant too. We provide the infrastructure for you, to conduct your research in a GDPR-compliant way.
  • How you handle your respondents’ personal data, which may be collected by means of our platform is your own responsibility.
  • To collect consent from your own new and existing respondents, you personally must take action.

At SurveyLegend, trust is our number 1 value and protection of our customers’ data is paramount. Therefore, long before GDPR we were trying to create an online survey solution with respect to your and your respondent’s privacy and security. Recently, thanks to the new GDPR legislation and clearer directions from EU, we’ve updated parts of our system to fully comply with the new privacy protection law.

In this article:

Some fundamental GDPR info

collecting personal data

Honestly, nobody likes to be watched or followed without knowing who’s watching them and why; it’s creepy.

And yet many companies and organizations silently monitor us and collect data about us. We don’t know why they do it and what they want to do with it. We don’t know how they get hold of our personal information, how long do they keep it, how do they process it, with whom do they share it, and what can they really understand from it. This is where the beloved GDPR laws are originating from, to protect everyone from nasty intentions and also to teach us the magnitude of our responsibilities and to reflect how serious it is to collect and process personal information about people.

So, let’s be positive and welcome this law. It doesn’t have to be hard to be GDPR-compliant. Just a few new things to learn. So let’s start:


What is “Personal Data”

So, let’s see what does “personal data” mean.

The word “data” is pretty technical and has an ambiguous meaning.  This PDF that the ICO provide can explain the legal definitions if you want to be very pedantic about it. Otherwise, we recommend that you to be pragmatic and assume that, yes, your business does deal with data and specially Personal Data; as this is usually the case with forms and surveys.

Personal data on the contrary is easy to define:

data which relate to a living individual who can be identified:

  • a) from those data, or
  • b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller*.

Of course a list of names and addresses can be considered as personal data. But if you have another list with pieces of information and a way to match that list with a list of names and addresses, that would also be considered as personal data.

There’s also a more specific category of personal data that you need to be more careful about, sensitive personal data, which is essentially any personal data which relates to:

Sensitive personal data are:

  • racial or ethnic origin
  • political opinions
  • religious beliefs
  • trade union membership
  • health (physical or mental)
  • sexual activity
  • genetic and biometric data


What is processing of personal data

Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.


Principles of processing personal data

Keep in mind that the way GDPR puts it, literally anything you do with the personal data, means that you are processing it. Having that in mind, we go to Article 5 of the GDPR, which defines 6 principles for processing personal data:

  1. processed lawfully, fairly and transparently;
  2. processed only for specified purposes, not for other purposes;
  3. collected as much as needed for what you intend to do and preform the job accurately, not more;
  4. accurate and up to date if necessary, otherwise they must be erased or corrected;
  5. kept no longer than necessary;
  6. kept and processed securely.


Who is “Data Controller ?” and who is “Data Processor ?”

  • ? Data Controller is any person who determines how and why (i.e. the business purpose) personal data will be processed;
  • Data Processor: is any person who processes personal data on behalf of a data controller.

Keep in mind that when the act mentions persons, it’s actually talking about legal personswhich includes most businesses. Therefore a controller will be the business you work for, not you personally.

So, normally, when you do research and conduct surveys, you (your organization or company) are both data controller and data processor simultaneously. But sometimes you may want to outsource the processing of data to third parties. So you must make sure that your data processor is compliant.

Whilst our company (SurveyLegend) is processor for all of our customers, we’re also a controller for our own employees, customers and users data.


Is your ? data processor compliant?

So, let’s assume that you are hiring a data processor to improve your research process,  Article 28  states that:

The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

So if we translate it to human language :) – it’s your responsibility to make sure that your data processors operate in a GDPR-compliant way. So if you have a Data Protection Officer, ask them to check your supplier’s (processors’) privacy and security policies to ensure that they adhere to the GDPR (here are our terms and privacy policy and GDPR Compliance info). Additionally, based on the new rules you must make certain that your processor has have GDPR-compatible contracts in place with their own processors (sub-processors). This should be reflected in their policies clearly.


Transferring data ? → ? outside the EU

The GDPR also puts up some restrictions on transferring data outside of the European Union. Only if “appropriate safeguards” such as privacy shield are in place, you can let the data to go out of the EU. Your processor should be able to explain where they store their data, and prove it’s either in the EU or other country but covered by an agreement such as Privacy Shield. See ours here.


Individuals’ rights

The hole point with GDPR is that individuals own their own data. It’s not like before that companies “owned” your/our data and could do whatever they wanted with it and the only choice we had was “deleting our account” if we didn’t want to use their services or didn’t like their policies. Even that wouldn’t give us back the data which we had shared with them up-to that point.

So, because data is owned by the individuals, law gives them the following rights:

  • Access their personal data;
  • Correct errors in their personal data;
  • Erase their personal data;
  • Object to processing of their personal data;
  • Export personal data.

✅ Making your questionnaires GDPR-compliant

Now let’s see how you can apply all of these principles in your research practice and when conducting surveys.

To make your surveys or forms compliant with GDPR, you must do several things. So, here we must briefly review a few additional notions of “lawful processing”, “legitimate interest” and “consent”.

Lawful processing

First of all, you must do a lawful processing of data. What is considered lawful is explained here in Article 6, subparagraph 1 if you want to challenge your skills of comprehending the English language. However, as we understand it they are just trying to say that:

  1. When collecting personal data your respondents must deliberately and willfully tell you that it is OK that you collect data about them, for the purposes that you clearly explain for them. In other words, they should give you consent.
  2. When collecting personal data you (your organization or company) should be able to convincingly prove that collecting feedback is in your legitimate interest.


Legitimate interest

“Legitimate interests” means that it’s in your (and your customers’) interests to collect feedback, data and their personal info. For example to solve their problems, or enhance your services.


Please note that the GDPR is extrememly explicit at not letting organisations use the “legitimate interests” clause as an excuse for marketing activities. You may need to doublecheck this if you are doing Market Research activities. So, make sure your feedback processors and marketing folk have a thick wall in between.


Sharing collected data in a GDPR-friendly way

With SurveyLegend, you can export collected survey data in different formats, and share it with 3rd parties (externally, not within our system).

However, the risk is that you may unintentionally expose personal or sensitive data in this way, because everything will be included in your exported data.

However, we offer a better way of sharing data in real-time!!, which does not expose any personally identifiable information to the viewers.

You can do so, simply by activating a public link to share your real time data, by going to the Real-time survey results Live Analytics view, and clicking on the share data icon GDPR friendly Share data menu.

Clicking on the Share Data button gives you options of sharing your surveys privately or publicly.


Our system automatically filters away all text-based questions and answers (which are normally the ones that contain personally identifiable data) and shows other questions and graphs to your visitors. They cannot see individual respondents or download the data. Additionally, no other info about individual respondent’s devices, or cities or countries is shown to them.

Learn more about sharing survey results in real time, in a GDPR-friendly way…

In case of data breach

What happens if you figure out that there has been some data breach and your collected personal data has been exposed to third parties?

Reporting to the authorities

Reporting is only required for breaches which will result in:

“risk to people’s rights or freedoms”

“discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”

In Article 33 they mention that if your respondents’ personal information is exposed in a way that results in risking or damaging them, you (the data controller) not later than 72 hours after having become aware of it, must notify the personal data breach to the supervisory authority competent in accordance.

Reporting to your respondents

If you identify that there is a “high risk to their rights and freedoms”, then you must notify your respondents too.

For most types of feedback forms, it’s quite difficult to consider the data-breach as high-risk. Unless you’re processing sensitive data, for example if your business is in the health sector.

Will I have to pay a 20 million Euros fine if something happens?

Almost certainly not! This €20,000,000 has been a hot headline but this is for the absolute worst cases. There is also a lower fine of 10 million Euros which is also for standard offences.

According to ICO’s news blog, fines are the last resort. The law is there to help (or sort of force) businesses to do the right thing and correct their structure. It’s to protect people. It is not about giving fines to small businesses here and there.

Fines are for the bad guys with bad intentions! You’re not one of them. You’re a legend, already finishing this article, because you want to do the right thing.

But our organization has nothing to do with EU citizens

Many people wonder about this. Our company is not located in the EU. We’re not dealing with citizens of Europian Union? Should we still care about GDPR?

Well, the short answer is: “usually not, but it depends”. However, the right answer is, “Of course you should!”.

Unlike the old law of Data Protection Directive, the GDPR can apply to any globally operating company. It is not made just for those located in the EU.

Under the GDPR, organizations may be in scope if:

  • the organization is established in the EU, or
  • the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

Even if your company is not established here, we recommend you to take the law very seriosuly and reform how you handle personal data in your organization.

The GDPR is about having a healthy digital culture in the company. It is about respecting privacy of individuals. It is not about EU citizens.

It’s true that the initiative has taken place in EU to protect their own citizens. But first of all, how do you know when your own company will enforce similar laws? Isn’t it better to be ready for it already? Secondly, why not practicing a better version of treatment for personal information of people who trust you and give it to you? There is noting wrong with that :)

And you never know, maybe someone from EU answers your surveys and then…. things go ?

If for some reason you must treat citizens of other regions differently in your surveys when it comes to personal data collection, then use our survey logics, ask if they are from EU, and if the answer is NO, do show or hide those questions that you must.


This article is written in a simple way, and can be used for most companies and researchers. We have tried to clarify what we have understood from GDPR, when it comes to collecting data using Surveys, Forms, or online questionnaires.

However, every research case is different and every company or organization may collect data (or personal data) for different purposes and in different ways.

Therefore, the precautions and practical tips that we suggest here may not be enough for some special cases.

Therefore, we strongly recommend you to consult a professional, if your organization have access to a lawyer and you are in doubt about the way you collect process your respondents’ personal data.

Please don’t hesitate to let us know if you find flaws in our article, together we can make it even more GDPR-proof. So leave us some comments, don’t be shy.


About the Author
I eventually grew up after painting on many walls, getting too many scars, watching loads of animated movies, taking care of lots of injured animals, and inventing crazy strategies to bypass the "dictatorship" of the adults, and got a B.A. in Psychology. Shortly after, I grew up a bit more and got two M.A. degrees in art & design. Today, after growing up slightly more, I realize that I've been working with many companies and brilliant people, inventing new tech solutions, designing & coding cool stuff, making cute illustrations; while still truly enjoying, loving, and adoring the mother nature and all amazing cuddly creatures out there.