GDPR: What do I need to think about when using (online) survey tools?
When you use an (online) survey tool for your research to collect personal data, you need to make sure that this survey tool is GDPR compliant and that you follow the GDPR principles when using this tool.
How do I know if an online survey tool is GDPR compliant?
Attention: some tools also use the personal data you collect in their tool for other (their own!) purposes (e.g. direct marketing, advertising and sometimes they even sell these personal data to third parties). We recommend you not to use these tools.
How can I use online survey tools in a GDPR compliant way?
‘GDPR compliant' also requires correct use of the tool. After all, you can use a tool that is guaranteed to be GDPR-compliant (according to the supplier and preferably also according to external reviews or certificates) incorrectly, which means that you violate the basic principles of the GDPR.
Using the tool in a 'GDPR compliant' way is your responsibility as a researcher.
Practical guidelines: how should you proceed?
As a researcher, you should always implement the basic principles of the GDPR ("privacy by design") when designing your survey. You can keep these questions in mind:
- Do I really need personal data? Can I also work with anonymous data?
- What personal data do I need to achieve the research goal (data minimization)?
- How will I pseudonymise or anonymise personal data as soon as possible after the data collection?
- Are the respondents (survey participants) sufficiently informed about the data collection, the purpose and their rights prior to their participation (transparency)? In a project-specific privacy statement? In an invitation to participate in the survey? Is there an information letter, e-mail or page? In another way?
- How will I ask the participants for an active consent?
- Where will the data collected in the survey be securely stored and kept (data protection)? Locally on a UGent server or in a cloud application (your own/the tool's)? Inside or outside Belgium or even outside the EU?
- Do I need additional mechanisms for participants to access, change or delete their data? How can participants withdraw their consent, have their data changed or deleted?
- Have I completed the GDPR Register? (in DMPonline.be)
In addition to the above questions about designing your survey/questionnaire, the questions below can help you to select a proper (online) survey tool:
- Where are the personal data in the (online) survey tool stored? If the data is stored on servers outside the EU, this does NOT fall under the protection of the GDPR and you will have to take additional and strict measures to bring this up to the right level of protection. Using (online) survey tools with servers outside the EU is not recommended.
- Does the (online) survey tool offer sufficient guarantees regarding security and protection of the data? Does the tool itself have certain contracts or certificates such as ISO27001 certification or results of security analyses (security audits, pen tests, etc.)?
- Does the tool offer sufficient security guarantees (e.g. are data connections encrypted with HTTPS encryption and SSL certificates?).
- Does the tool itself use the personal data you collect for any other activities than those for which you have given the order?
- Are the data automatically deleted by the (survey) tool afterwards? If this is not possible, make sure that you can demand this or delete your data in the tool yourself.
- How can the participants exercise their rights? Can this be set in the (online) survey tool itself? Or should this be done separately, e.g. via e-mail to you?
- Can you adjust the settings with regard to data collection, retention and protection? For example: can you disable the collection of the IP address of participants in the settings of the online survey tool?
- Have you drawn up a data processing agreement with the (online) survey tool? In most cases the (online) survey tool will act as processor, you will act on behalf of UGent as the data controller. See the contract portal to request a contract (processing agreement with the survey tool)
- What happens if there is a data breach? Will you, as a user, be notified of this within the stipulated time?
You can find the answer to most of these questions in the privacy statement, the website or other data protection information of the (online) survey tool.
Below you will find an answer to the above questions for the Qualtrics tool as an example. This information is available on the Qualtrics website.
- Have you entered into a data processing agreement with Qualtrics? In most cases Qualtrics will act as processor, you will act on behalf of UGent as the data controller. See the contract portal to request a contract (data processing agreement with Qualtrics).
- Where is the data stored in the online survey tool? Qualtrics has affiliates and external service providers outside the European Economic Area (the "EEA") and will sometimes transfer personal data to countries outside the EEA. If there are transfers to a country that has no adequacy decision, Qualtrics will use the EU Model Contractual Clauses to contractually require that personal data get a level of data protection consistent with the EEA. You should request a copy of such model contractual clauses by sending a request to firstname.lastname@example.org and further contacting Tech Transfer (via the contracts portal).
- Does the (online) survey tool offer sufficient guarantees regarding security and data protection? Qualtrics has an ISO 27001 certificate and is FedRAMP authorized. The effectiveness of the existing technical and organizational security measures is regularly tested and evaluated. Qualtrics takes daily backups for disaster recovery. The personal data in these backups are permanently deleted after 90 days.
- Does the tool provide sufficient security guarantees? All responses stored in the EU data centers are encrypted using AES-256. Data sent to the Qualtrics platform is encrypted using the TLS protocol.
- Does the tool itself not execute any other processing or activities with the data than the ones you have commissioned? Qualtrics only processes data based on your instructions. Qualtrics does not use personal data for any other purpose and does not transfer personal data to third parties or sub-processors without your consent. If personal data is transferred from the EU to a third country, necessary measures are taken to secure the data.
- Are the data automatically deleted by the (survey) tool afterwards? Deleting (personal) data is the responsibility of the user. It is possible to delete individual answers, answers to the entire survey or even entire projects. A deleted answer is initially marked for deletion, and can be restored by Qualtrics Support upon request. After 30 days, the deletion becomes permanent and cannot be restored. To permanently and immediately delete data, the administrator (or a user with equivalent permissions) can perform a permanent deletion. Permanently deleted data is irretrievable, even by Qualtrics Support. When a contact is deleted, it is permanently deleted.
- Is there an easy way in the tool to provide the necessary information and seek active consent from respondents? For the information requirement, you can enter a page of text (without a question) in Qualtrics that includes all the required information (possibly with an additional reference to an external website with a comprehensive privacy statement). For asking permission, you can add a question that is mandatory to be filled out. If the respondents answer 'no' to this question, you can redirect them to the end of the survey without collecting any further personal data.
- How can participants exercise their rights? If a participant wants to exercise his/her rights, you as a researcher can easily change answers, delete answers to certain questions, delete participants (and all their answers) or download the answers of a participant.
- Can you customize the settings regarding data collection, retention and protection? Qualtrics offers the possibility to create and distribute surveys with anonymous links where no personal contact information is linked to the survey results. In addition, in the survey options you can also choose anonymised responses. In this case, no IP addresses are stored. If you don't ask questions in the survey itself that collect personal data, you can collect anonymous data this way (which puts you outside the scope of the GDPR).
- What happens if there is a data breach? If there is a data breach, Qualtrics will notify the administrator of this data breach.
- Make sure you have taken appropriate and sufficient measures to collect and process personal data securely and in line with the GDPR. Think about data minimization, data protection and transparency.
- Check the website, privacy statement and other data protection information of the (online) survey tool.
- Draw up a processing agreement in which you lay down the right conditions for the processing of personal data (see contracts portal).
- Register your data processing activities in the UGent GDPR-Register (via DMPonline.be) before you start.
Last modified Nov. 18, 2021, 9:50 a.m.