GDPR: what are some things to consider when using (online) survey tools?
When using an (online) survey tool to collect personal data for your research , you need to make sure that the tool is GDPR compliant and that you follow the GDPR principles when using it.
UGent has a campus licence for Qualtrics since 1 January 2022. Other survey tools are no longer supported by DICT.
How do I know if an online survey tool is GDPR compliant?
Attention: some tools also use the personal data you collect in their tool for other (their own!) purposes (e.g. direct marketing, advertising and sometimes they even sell these personal data to third parties). We advise against using these tools.
How do I use online survey tools in a GDPR compliant way?
‘GDPR compliant' also requires correct use of the tool. After all, you can use a tool that is guaranteed to be GDPR compliant (according to the supplier and preferably also according to external reviews or certificates) incorrectly, which means that you violate the basic principles of the GDPR.
It's your responsibility as a researcher to use the tool in a 'GDPR compliant' way.
Practical guidelines: how should you proceed?
As a researcher, you should always implement the basic principles of the GDPR ('privacy by design') when designing your survey. You can keep these questions in mind:
- Do I really need personal data? Can I also work with anonymous data?
- What personal data do I need to achieve the research goal (data minimization)?
- How will I pseudonymise or anonymise personal data as soon as possible after data collection?
- Are the respondents (survey participants) sufficiently informed about the data collection, the purpose and their rights prior to their participation (transparency)? In a project-specific privacy statement? In an invitation to participate in the survey? Is there an information letter, e-mail or page? Or are they informed another way?
- How will I ask the participants for active consent?
- Where will the data collected in the survey be securely stored and kept (data protection)? Locally on a UGent server or in a cloud application (your own/the tool's)? Inside or outside Belgium or even outside the EU?
- Do I need additional mechanisms for participants to access, change or delete their data? How can participants withdraw their consent, have their data changed or deleted?
- Have I completed the GDPR Register (in DMPonline.be)?
- Have I removed all (personal) data from the online tool when the survey is completed?
In addition to these questions about designing your survey/questionnaire, the questions below can help you to select a proper (online) survey tool:
- Where are the personal data in the (online) survey tool stored? If the data is stored on servers outside the EU, this does NOT fall under the protection of the GDPR and you'll have to take additional and strict measures to bring this up to the right level of protection. Using (online) survey tools with servers outside the EU is not recommended.
- Does the (online) survey tool offer sufficient guarantees regarding security and protection of the data? Does the tool itself have certain contracts or certificates, such as ISO27001 certification or results of security analyses (security audits, pen tests, etc.)?
- Does the tool offer sufficient security guarantees (e.g. are data connections encrypted with HTTPS encryption and SSL certificates?).
- Does the tool itself use the personal data you collect for any activities other than those for which you have given the order?
- Are the data automatically deleted by the (survey) tool afterwards? If this isn't possible, make sure that you can demand it or delete your data in the tool yourself.
- How can the participants exercise their rights? Can it be arranged in the (online) survey tool itself? Or should it be done separately, e.g. via e-mail to you?
- Can you adjust the settings with regard to data collection, retention and protection? For example: can you disable collection of the participants' IP addresses in the survey tool's settings?
- Have you drawn up a data processing agreement with the (online) survey tool? In most cases the (online) survey tool will act as processor, you will act on behalf of UGent as the data controller. Between UGent and Qualtrics, the necessary aspects regarding privacy and security were already laid down in a processing agreeement. If you decide to use Qualtrics for your research, you no longer need to conclude a processing agreement yourself. If you wish to use a tool other than Qualtrics contact the TechTransfer's legal support office and request a contract (processing agreement with the survey tool).
- What happens if there's a data breach? Will you, as a user, be notified within the stipulated time?
You can find the answer to most of these questions in the privacy statement, the website or other data protection information of the (online) survey tool.
- Preferably use Qualtrics for online surveys.
- Make sure you've taken appropriate and sufficient measures to collect and process personal data securely and in line with the GDPR. Think about data minimization, data protection and transparency.
- Check the website, privacy statement and other data protection information of the (online) survey tool.
- If you wish to use a tool other than Qualtrics, draw up a processing agreement in which you lay down the right conditions for personal data processing (contact TechTransfer's legal support office).
- Register your data processing activities in the UGent GDPR Register (via DMPonline.be) before you start.
Last modified Aug. 28, 2023, 10:45 a.m.