Surveys: Compliance with the GDPR!

Surveys need to adhere to the GDPR?

Hint — Just like any lawyer would tell you… it depends. How­ev­er, if per­son­al data is being col­lect­ed, han­dled and/or processed, then GDPR needs to be adhered to.

If you are con­duct­ing a sur­vey where­by per­son­al data is involved, then GDPR applies. How­ev­er, it does not affect all com­pa­nies that con­duct a sur­vey (whether it’s in rela­tion to an employ­ee or to a cus­tomer).

If the sur­vey being con­duct­ed is anony­mous and thus there is no need to input per­son­al data to sub­mit the sur­vey, then GDPR does not apply.

Anonymous (ish)

On the con­trary, an anony­mous sur­vey ensures that respons­es can­not be con­nect­ed to indi­vid­ual peo­ple.” — Tal­metrix — CEO Chris Pow­ell.

The term anony­mous is quite a vague term espe­cial­ly when refer­ring to a sur­vey. Anony­mous sur­vey usu­al­ly refers to sur­veys which are con­duct­ed by a researcher, an author or a Com­pa­ny to elim­i­nate the col­lec­tion of the respondent’s per­son­al data or pri­vate infor­ma­tion so that who­ev­er par­tic­i­pates and fills up the sur­vey is unknown. The ques­tion that may arise at this stage is whether a sur­vey can be tru­ly anony­mous.

If the data sub­mit­ted through a sur­vey may be traced to the respon­dent of the sur­vey, then the sur­vey would not be anony­mous, and it would clas­si­fy as a per­son­alised sur­vey. This may be gen­er­al­ly traced to ana­lyt­i­cal tools which allows you to view indi­vid­ual respons­es.

A com­pa­ny which decides to run an anony­mous sur­vey is oblig­ed to pre­vent the par­tic­i­pants from being iden­ti­fied.

If the sur­vey is not anony­mous, it needs to com­ply with GDPR require­ments. In this case, a sur­vey can iden­ti­fy its respon­dent if it is ask­ing for per­son­al data that when com­bined, the respon­dent may be iden­ti­fied (such as e‑mail address, con­tact details, age and gen­der).

The Specific Guidelines

All the data that is being processed needs to be legal­ly, eth­i­cal­ly and trans­par­ent­ly han­dled.

This process includes inter-alia ear­mark­ing, data min­imi­sa­tion (col­lect­ing min­i­mal data as pos­si­ble) and account­abil­i­ty (Com­pa­nies must be able to prove that their meth­ods of col­lect­ing per­son­al data are com­pli­ant with GDPR at any time.) as per Arti­cle 5 of the GDPR. A com­pa­ny which is con­duct­ing the sur­vey is oblig­ed to fol­low the GDPR.

A com­pa­ny should be aware of the impact of GDPR on its dai­ly oper­a­tions. Although, a gen­er­al approach can­not be tak­en in this regard, it is impor­tant to know that Arti­cle 7 of the GDPR impact most of the com­pa­nies con­duct­ing such sur­veys.

To be in line with this Arti­cle, sur­vey par­tic­i­pants must pro­vide their con­sent to allow the com­pa­ny con­duct­ing the sur­vey to col­lect and han­dle their per­son­al data.

 Clear Consent

In this regard, the con­sent of the par­tic­i­pants is ONLY effec­tive if the stip­u­lat­ed con­di­tions are met. The Sur­vey needs to include a sec­tion where­by it clear­ly informs the par­tic­i­pants about how the col­lect­ed data will be used and the pur­pose of the sur­vey.

It is the participant’s choice whether to par­tic­i­pate or not. For this rea­son, the con­sent check box can­not be pre-ticked, and the par­tic­i­pants need to tick it them­selves. It is impor­tant to note that par­tic­i­pants shall reserve the right to revoke their con­sent.

GDPR Conditions for consent

What if a Data Breach Occurs?

A data breach must be report­ed to the appoint­ed super­vis­ing author­i­ty with­in 72 hours from when the data breach occurred. In the report, there needs to be a detailed descrip­tion of the inci­dent and an iden­ti­fi­ca­tion of any poten­tial risks. The report needs to also high­light the mea­sures that were tak­en to min­imise or elim­i­nate the iden­ti­fied risks.

As of 25th May of 2018, Com­pa­nies were oblig­ed (and still are) to fol­low and com­ply with the GDPR. When it comes to sur­veys, if the com­pa­ny con­duct­ing the sur­vey is or wants to process data then it is a must to meet GDPR require­ments.

Tip: Eval­u­ate all data to deter­mine whether it is tru­ly required for the sur­vey or whether it can be removed.

To pre­vent hav­ing a data breach in rela­tion to your survey/s, it is impor­tant to con­sult and get GDPR advice. For every pro­cess­ing of per­son­al data there needs to be a com­pli­ance process which com­plies with the GDPR. If you are inter­est­ed to know more, con­tact us on


The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.

About Dr. Rebecca Mifsud

Dr Rebec­ca Mif­sud, born 6th May 1994, attend­ed the Uni­ver­si­ty of Mal­ta and is an LLB Hon­ours grad­u­ate. She also grad­u­at­ed in the Mas­ters in Advo­ca­cy and will be sit­ting for her Mal­ta War­rant Exam in 2019. She suc­cess­ful­ly defend­ed her dis­ser­ta­tion enti­tled: ‘Imput­ing respon­si­bil­i­ty for foot­ball injuries inflict­ed by minors in the Mal­tese sce­nario,’ in 2017.

View All Posts

Leave a Reply

Your email address will not be published.