Surveys need to adhere to the GDPR?
Hint — Just like any lawyer would tell you… it depends. However, if personal data is being collected, handled and/or processed, then GDPR needs to be adhered to.
If you are conducting a survey whereby personal data is involved, then GDPR applies. However, it does not affect all companies that conduct a survey (whether it’s in relation to an employee or to a customer).
If the survey being conducted is anonymous and thus there is no need to input personal data to submit the survey, then GDPR does not apply.
“On the contrary, an anonymous survey ensures that responses cannot be connected to individual people.” — Talmetrix — CEO Chris Powell.
The term anonymous is quite a vague term especially when referring to a survey. Anonymous survey usually refers to surveys which are conducted by a researcher, an author or a Company to eliminate the collection of the respondent’s personal data or private information so that whoever participates and fills up the survey is unknown. The question that may arise at this stage is whether a survey can be truly anonymous.
If the data submitted through a survey may be traced to the respondent of the survey, then the survey would not be anonymous, and it would classify as a personalised survey. This may be generally traced to analytical tools which allows you to view individual responses.
A company which decides to run an anonymous survey is obliged to prevent the participants from being identified.
If the survey is not anonymous, it needs to comply with GDPR requirements. In this case, a survey can identify its respondent if it is asking for personal data that when combined, the respondent may be identified (such as e‑mail address, contact details, age and gender).
The Specific Guidelines
All the data that is being processed needs to be legally, ethically and transparently handled.
This process includes inter-alia earmarking, data minimisation (collecting minimal data as possible) and accountability (Companies must be able to prove that their methods of collecting personal data are compliant with GDPR at any time.) as per Article 5 of the GDPR. A company which is conducting the survey is obliged to follow the GDPR.
A company should be aware of the impact of GDPR on its daily operations. Although, a general approach cannot be taken in this regard, it is important to know that Article 7 of the GDPR impact most of the companies conducting such surveys.
To be in line with this Article, survey participants must provide their consent to allow the company conducting the survey to collect and handle their personal data.
In this regard, the consent of the participants is ONLY effective if the stipulated conditions are met. The Survey needs to include a section whereby it clearly informs the participants about how the collected data will be used and the purpose of the survey.
It is the participant’s choice whether to participate or not. For this reason, the consent check box cannot be pre-ticked, and the participants need to tick it themselves. It is important to note that participants shall reserve the right to revoke their consent.
What if a Data Breach Occurs?
A data breach must be reported to the appointed supervising authority within 72 hours from when the data breach occurred. In the report, there needs to be a detailed description of the incident and an identification of any potential risks. The report needs to also highlight the measures that were taken to minimise or eliminate the identified risks.
As of 25th May of 2018, Companies were obliged (and still are) to follow and comply with the GDPR. When it comes to surveys, if the company conducting the survey is or wants to process data then it is a must to meet GDPR requirements.
Tip: Evaluate all data to determine whether it is truly required for the survey or whether it can be removed.
To prevent having a data breach in relation to your survey/s, it is important to consult and get GDPR advice. For every processing of personal data there needs to be a compliance process which complies with the GDPR. If you are interested to know more, contact us on firstname.lastname@example.org.
The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.
- COVID-19: Adopting Remote Working Measures - 24. March 2020
- Surveys: Compliance with the GDPR! - 16. March 2020
- Corona Virus – The Legal Implications - 26. February 2020
- Brexit: What will happen to Residence Statuses? - 19. February 2020
- Personal Data is NOT just your Name and Surname! Here’s an Explanation. - 26. December 2019
- Blockchain Technology vis-à-vis the GDPR - 16. December 2019
- Summary to the MFSA Circular regarding Amendments to Chapter 3 of the Rulebook - 11. December 2019
- Things you really need to know about Security Token Offerings (STOs) in Malta - 2. October 2019
- Reasons why “Classic” Banks do not accept Fintech Companies - 16. September 2019
- Summary of the MFSA Circular to VFA Service Providers - 11. September 2019