Skip to content

Surveys: Compliance with the GDPR!

Surveys need to adhere to the GDPR?

Hint – Just like any lawyer would tell you… it depends. However, if personal data is being collected, handled and/or processed, then GDPR needs to be adhered to.

If you are conducting a survey whereby personal data is involved, then GDPR applies. However, it does not affect all companies that conduct a survey (whether it’s in relation to an employee or to a customer).

If the survey being conducted is anonymous and thus there is no need to input personal data to submit the survey, then GDPR does not apply.

Anonymous (ish)

On the contrary, an anonymous survey ensures that responses cannot be connected to individual people.” – Talmetrix – CEO Chris Powell.

The term anonymous is quite a vague term especially when referring to a survey. Anonymous survey usually refers to surveys which are conducted by a researcher, an author or a Company to eliminate the collection of the respondent’s personal data or private information so that whoever participates and fills up the survey is unknown. The question that may arise at this stage is whether a survey can be truly anonymous.

If the data submitted through a survey may be traced to the respondent of the survey, then the survey would not be anonymous, and it would classify as a personalised survey. This may be generally traced to analytical tools which allows you to view individual responses.

A company which decides to run an anonymous survey is obliged to prevent the participants from being identified.

If the survey is not anonymous, it needs to comply with GDPR requirements. In this case, a survey can identify its respondent if it is asking for personal data that when combined, the respondent may be identified (such as e-mail address, contact details, age and gender).

The Specific Guidelines

All the data that is being processed needs to be legally, ethically and transparently handled.

This process includes inter-alia earmarking, data minimisation (collecting minimal data as possible) and accountability (Companies must be able to prove that their methods of collecting personal data are compliant with GDPR at any time.) as per Article 5 of the GDPR. A company which is conducting the survey is obliged to follow the GDPR.

A company should be aware of the impact of GDPR on its daily operations. Although, a general approach cannot be taken in this regard, it is important to know that Article 7 of the GDPR impact most of the companies conducting such surveys.

To be in line with this Article, survey participants must provide their consent to allow the company conducting the survey to collect and handle their personal data.

 Clear Consent

In this regard, the consent of the participants is ONLY effective if the stipulated conditions are met. The Survey needs to include a section whereby it clearly informs the participants about how the collected data will be used and the purpose of the survey.

It is the participant’s choice whether to participate or not. For this reason, the consent check box cannot be pre-ticked, and the participants need to tick it themselves. It is important to note that participants shall reserve the right to revoke their consent.

GDPR Conditions for consent

What if a Data Breach Occurs?

A data breach must be reported to the appointed supervising authority within 72 hours from when the data breach occurred. In the report, there needs to be a detailed description of the incident and an identification of any potential risks. The report needs to also highlight the measures that were taken to minimise or eliminate the identified risks.

As of 25th May of 2018, Companies were obliged (and still are) to follow and comply with the GDPR. When it comes to surveys, if the company conducting the survey is or wants to process data then it is a must to meet GDPR requirements.

Tip: Evaluate all data to determine whether it is truly required for the survey or whether it can be removed.

To prevent having a data breach in relation to your survey/s, it is important to consult and get GDPR advice. For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on .


The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

Do you still have questions?
Book a free first consultation now.

Related posts

Blockchain GDPR

Blockchain Technology vis-à-vis the GDPR

The use of blockchain technology is still new to our digital age, however it is important to view such usage from a GDPR Perspective. The GDPR mainly focuses on the Protection Data and highlights the importance of compliance with the requirements set out in the Regulation. Despite the incompatibilities, the GDPR and Blockchain Technology can co-exist.

Read more

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *