It is important to ensure GDPR compliance when collecting personal data, as numerous sanctions have been imposed in this regard (see 14 GDPR Sanctions You Must Know). However, it is quite easy to implement minimal rules and avoid the risk of a fine.
In most cases, collecting data through a questionnaire, form, or web survey will trigger the application of the GDPR due to the use of the user’s IP address (which is considered a personal data under the GDPR).
Therefore, there are certain important obligations to implement to ensure compliance (I). We will then see some practical examples (II).
I. - Key Obligations to Comply With
There are a number of important obligations to comply with: adding the processing activity to the registry, minimizing collected data, and displaying GDPR information notices.
Step 1: Add the Processing Activity to the Registry
As soon as an organization sets up an activity that processes personal data (under the GDPR = any data that allows the identification of individuals, directly or indirectly), the organization must reference this activity in a registry.
Note, the data processed is not referenced, but the activity itself (e.g., conducting customer satisfaction surveys). The reason for this is that it then allows for knowing where the personal data processed by the organization are and subsequently verifying their compliance (e.g., their security, the periods during which the data are processed, etc).
Typically, a GDPR compliance management software is used for this - and for the example of Legiscope, the software already offers a series of pre-written and GDPR-compliant standard data collection and processing activities; so one can simply import this type of processing into the registry:
Once the activity is imported, it will be automatically added to the registry and the description of the processing activity will be compliant with the requirements of Article 30 for the creation of the registry.
Indeed, the organization must detail:
- a) the name and contact details of the data controller and, where applicable, the joint controller, the representative of the data controller, and the data protection officer;
- b) the purposes of the processing;
- a description of the categories of data subjects and the categories of personal data;
- the categories of recipients;
- transfers of personal data;
- the envisaged time limits for the erasure of the different categories of data;
- a general description of the technical and organizational security measures
It is possible to write this documentation manually, but the task is laborious for each treatment and here, the drafting has been pre-performed entirely:
Once the activity is added to the registry, it is then necessary to minimize the collected data.
Step 2: Minimize Collected Data
The GDPR requires the collection of the minimum amount of data from the data subjects (Art. 5):
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)
Therefore, it is necessary to reflect on the questions asked and ensure that they are adequate in relation to the objectives of the processing.
For example, for a company operating a home cleaning service:
- the quality of the cleaning: rating from 1 to 10
- the punctuality of the person: rating from 1 to 10
- the politeness of the person: rating from 1 to 10
- the name of the client or their identifier
These data are indeed objectively necessary for evaluating the service. Note that the data here are well minimized by using a rating from 1 to 10 and carefully avoiding a free text field which would open the possibility for clients to enter all sorts of data (comments unrelated to the work performed).
This is an important element of implementation.
Step 3: Display GDPR Information Notices
GDPR information notices are also important to display to the user, as this is part of the transparency obligations that organizations have when collecting personal data - the french CNIL has very detailed prescriptions in this regard.
To simplify things, it is necessary to clearly inform the user about what is done with their data, the reason for collecting it, and a series of other information such as the duration for which the data will be retained.
Legal notices can be generated automatically using GDPR compliance management software or drafted manually.
Step 4: Is Consent Necessary?
It is not necessarily required to obtain the consent of individuals whose data is processed if the questionnaire is part of a service provided by the organization.
Indeed, what the GDPR requires is to have a legal basis. Consent is one legal basis, but it is not the only one!
Article 6 of the GDPR provides 6 legal bases that authorize the collection of personal data:
- The consent of the individuals
- The contract, or pre-contractual measures
- A legal obligation
- The protection of vital interests of a person
- Public interest / public authority
- The legitimate interests of the data controller
In this respect, it is perfectly conceivable for the evaluation of a service, to rely on the “contractual” legal basis. That being said, beyond a service provided, consent will be the most appropriate legal basis for any general questionnaire (see here how to collect valid consent under the GDPR)
II. - Practical Example
To conclude, here is a practical example of a GDPR-compliant service evaluation questionnaire:
Témoignages
"Legiscope nous permet d'économiser plus de 500 heures de travail de conformité par an ! C'est plus de 3 mois temps plein !"
— Sylvain GraveronEuropeans Spend 575 Million Hours Clicking Cookie Banners Every Year
Designation of the data protection officer (DPO)
How to Handle Data Breaches under the GDPR
The Principle of Data Accuracy in the GDPR
The Purposes of Processing under the GDPR
The GDPR’s Storage Limitation Principle: Ensuring Responsible Data Retention
Article 28 of the GDPR: Obligations Imposed on Processors
Data Privacy Principles: Comprehensive Guide
Tutorial: how to get a valid GDPR consent
The Role of the European Data Protection Board (EDPB)
What is personal data ?
Does the GDPR Apply to Non-EU Organizations?
Article 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies
Tasks of the data protection officer
GDPR and Outbound sales : €500,000 fines for non-compliance