Join over 10 million users
The General Data Protection Regulation (GDPR) regulation has come into effect in the European Union since May 2018 and it has had a fundamental impact on how organizations treat data from individuals in compliance with the new privacy laws.
Online surveys, which are at the forefront of any consumer, market or employee data collection, need to be compliant with these laws and regulations. In order to make it easier for QuestionPro survey software users to create and send GDPR compliant data collection surveys, we have put in place a sophisticated process to ensure all data being collected using our platform is fully GDPR compliant.
All GDPR survey settings are under :
Account > Compliance > GDPR
Checkbox : ON / OFF - GDPR Compliance.
NOTE - if we are on our EU servers a GDPR compliance will be turned on by default. All other DC - users have to turn on GDPR by choice.
The effect of GDPR survey settings is at an organizational level, not user.
Every organization that is collecting data from EU citizens must have a named Data Protection (DP) officer. This person should be empowered within the organization and represent the organization with respect to data and privacy issues.
Account > Compliance > GDPR
Field for a DP officer, name, email and contact information.
On the survey footer - Privacy & Data Security - that goes to a page.
Enterprise customers with Edge Support agreements may ask QuestionPro’s DP officer to represent the company. This is only applicable to customers with an Edge Service Contract.
GDPR relations state that companies must make it clear how long data about the respondents and users will be retained. As such, QuestionPro itself has an indefinite retention period of data collected as long as the account is active and paid for. Once an account is cancelled voluntarily or involuntarily (due to non-payment), we have a 30 day grace period after which we remove all data from our servers. This however is OUR data retention policy.
The regulations require that each company outlines its own data retention policy, and more specifically, how long is the data retained for.
QuestionPro provides details about its own data expiry policy. We recommend that our customers either adapt or refine their own data retention period and state it clearly.
We empower our survey respondents to set the language of their choice and answer survey questions.
This would satisfy the principle of informed consent of subjects and respondents with regards to expiry of data.
GDPR calls for allowing citizens and users to be able to look at and download all the data collected on a user. It advices machine readable format for downloading the data for respondents.
QuestionPro provides a mechanism for respondents to download not only the survey data, but also metadata associated with the user while we are in the process to collecting their responses. This includes details about the IP address, browser information etc.
The respondents are able to view and download it in PDF as well as JSON format - to make it GDPR compliant.
When respondents click on Privacy and Data Security they see a list of all the surveys they have taken and download a PDF copy of the data that has been collected from them.
The regulation calls for a legal obligation for the notification to supervisory authority regarding a data breach within 72 hours of knowing about it.
GDPR regulations allow selecting a Data Protection Authority (DPA) to supervise the application of the data protection law. QuestionPro has selected the Dutch - DPA as the lead supervisory authority that governs data collected by QuestionPro.
In case of a data breach, at QuestionPro, we are obligated to notify the DPA in the Netherlands.
In some cases, each of our clients may want to select their own Supervisory Authority. Our customers must then use their own supervisory authority and can notify them about a data breach as soon as we notify you.
In cases where there is a data breach without our involvement - example a laptop with data from survey respondents gets stolen, it is up to our clients to notify their own supervisory authority regarding the breach.
QuestionPro provides a mechanism to select the Supervisory Authority that each of our clients in the EU want.
QuestionPro has a standard processor agreement for all customers. This standard agreement lists our obligations as data processors.
We realize that enterprises may have their own DPA’s / data processor agreements that QuestionPro needs to sign and agree to. This is only be available to our Enterprise License Customers - where we agree and look at your DPA.
For all other customers, QuestionPro has a standard DPA and we will not modify or negotiate the language of the agreement.
Right to be forgotten
When users click on privacy and data protection, they can request that their data - on an individual response level be deleted. They can also delete all survey responses. Further - they can also ask for the system to completely “forget” - including all cookies about the user. QuestionPro automatically removes all references to the user from its servers.
Research and acknowledgement
When users click on data and privacy - the stated purpose of research and data use will be presented.
Questionpro offers default language that includes;
Each of these are encapsulated in a paragraph. QuestionPro offers default language that our customers can use. However, it's up to the customers to decide which options to choose. They may edit the content and language also.
The default options are available in English, Spanish, French, German, Arabic, Hebrew, Japanese and Chinese. Other languages can be added - however the customers need to provide the content and translations.
There are two kinds of entities as far as GDPR is concerned.
In most cases - there is a single data collection entity that uses one or more processors. Processors may in turn use other data processors also. In order to protect the chain of command, GDPR envisions that DPA (Data Processing Agreements) be entered into between processors and sub-processors.
QuestionPro has DPA agreements with all the companies (including data center providers and cloud infrastructure providers) - as DPA’s. This ensures that all our contracts are GDPR compliant.
Furthermore, QuestionPro has a standard GDPR compliant DPA agreement that is provided. This form / template agreement is a standard form that QuestionPro provides to all our clients - that want to be GDPR compliant. No changes to this agreement are allowed. Clients with an Enterprise License may request changes to the standard DPA agreement - however It will take 30-60 days for approval of changes to our standard DPA.