GDPR: What do I need to think about when using (online) survey tools?
When you use an (online) survey tool for your research to collect personal data, you need to make sure that this survey tool is GDPR compliant and that you follow the GDPR principles when using this tool.
UGent has a campus licence for Qualtrics since 1/01/2022. Other survey tools are no longer supported by DICT. More information on how to use Qualtrics can be found in this research tip.
How do I know if an online survey tool is GDPR compliant?
Attention: some tools also use the personal data you collect in their tool for other (their own!) purposes (e.g. direct marketing, advertising and sometimes they even sell these personal data to third parties). We recommend you not to use these tools.
How can I use online survey tools in a GDPR compliant way?
‘GDPR compliant' also requires correct use of the tool. After all, you can use a tool that is guaranteed to be GDPR-compliant (according to the supplier and preferably also according to external reviews or certificates) incorrectly, which means that you violate the basic principles of the GDPR.
Using the tool in a 'GDPR compliant' way is your responsibility as a researcher.
Practical guidelines: how should you proceed?
As a researcher, you should always implement the basic principles of the GDPR ("privacy by design") when designing your survey. You can keep these questions in mind:
- Do I really need personal data? Can I also work with anonymous data?
- What personal data do I need to achieve the research goal (data minimization)?
- How will I pseudonymise or anonymise personal data as soon as possible after the data collection?
- Are the respondents (survey participants) sufficiently informed about the data collection, the purpose and their rights prior to their participation (transparency)? In a project-specific privacy statement? In an invitation to participate in the survey? Is there an information letter, e-mail or page? In another way?
- How will I ask the participants for an active consent?
- Where will the data collected in the survey be securely stored and kept (data protection)? Locally on a UGent server or in a cloud application (your own/the tool's)? Inside or outside Belgium or even outside the EU?
- Do I need additional mechanisms for participants to access, change or delete their data? How can participants withdraw their consent, have their data changed or deleted?
- Have I completed the GDPR Register? (in DMPonline.be)
In addition to the above questions about designing your survey/questionnaire, the questions below can help you to select a proper (online) survey tool:
- Where are the personal data in the (online) survey tool stored? If the data is stored on servers outside the EU, this does NOT fall under the protection of the GDPR and you will have to take additional and strict measures to bring this up to the right level of protection. Using (online) survey tools with servers outside the EU is not recommended.
- Does the (online) survey tool offer sufficient guarantees regarding security and protection of the data? Does the tool itself have certain contracts or certificates such as ISO27001 certification or results of security analyses (security audits, pen tests, etc.)?
- Does the tool offer sufficient security guarantees (e.g. are data connections encrypted with HTTPS encryption and SSL certificates?).
- Does the tool itself use the personal data you collect for any other activities than those for which you have given the order?
- Are the data automatically deleted by the (survey) tool afterwards? If this is not possible, make sure that you can demand this or delete your data in the tool yourself.
- How can the participants exercise their rights? Can this be set in the (online) survey tool itself? Or should this be done separately, e.g. via e-mail to you?
- Can you adjust the settings with regard to data collection, retention and protection? For example: can you disable the collection of the IP address of participants in the settings of the online survey tool?
- Have you drawn up a data processing agreement with the (online) survey tool? In most cases the (online) survey tool will act as processor, you will act on behalf of UGent as the data controller. Contact the legal support office of TechTransfer to request a contract (processing agreement with the survey tool)
- What happens if there is a data breach? Will you, as a user, be notified of this within the stipulated time?
You can find the answer to most of these questions in the privacy statement, the website or other data protection information of the (online) survey tool.
- Preferably use Qualtrics for online surveys.
- Make sure you have taken appropriate and sufficient measures to collect and process personal data securely and in line with the GDPR. Think about data minimization, data protection and transparency.
- Check the website, privacy statement and other data protection information of the (online) survey tool.
- Draw up a processing agreement in which you lay down the right conditions for the processing of personal data (contact the legal support office of TechTransfer).
- Register your data processing activities in the UGent GDPR-Register (via DMPonline.be) before you start.
Last modified Nov. 28, 2022, 3:02 p.m.