How to Create a GDPR Compliant Questionnaire (Surveys, Satisfaction Inquiries, etc.)

It is important to ensure GDPR compliance when collecting personal data, as numerous sanctions have been imposed in this regard (see 14 GDPR Sanctions You Must Know). However, it is quite easy to implement minimal rules and avoid the risk of a fine.

In most cases, collecting data through a questionnaire, form, or web survey will trigger the application of the GDPR due to the use of the user’s IP address (which is considered a personal data under the GDPR).

Therefore, there are certain important obligations to implement to ensure compliance (I). We will then see some practical examples (II).

I. - Key Obligations to Comply With

There are a number of important obligations to comply with: adding the processing activity to the registry, minimizing collected data, and displaying GDPR information notices.

Step 1: Add the Processing Activity to the Registry

As soon as an organization sets up an activity that processes personal data (under the GDPR = any data that allows the identification of individuals, directly or indirectly), the organization must reference this activity in a registry.

Note, the data processed is not referenced, but the activity itself (e.g., conducting customer satisfaction surveys). The reason for this is that it then allows for knowing where the personal data processed by the organization are and subsequently verifying their compliance (e.g., their security, the periods during which the data are processed, etc).

Typically, a GDPR compliance management software is used for this - and for the example of Legiscope, the software already offers a series of pre-written and GDPR-compliant standard data collection and processing activities; so one can simply import this type of processing into the registry:

Once the activity is imported, it will be automatically added to the registry and the description of the processing activity will be compliant with the requirements of Article 30 for the creation of the registry.

Indeed, the organization must detail:

• a) the name and contact details of the data controller and, where applicable, the joint controller, the representative of the data controller, and the data protection officer;
• b) the purposes of the processing;
• a description of the categories of data subjects and the categories of personal data;
• the categories of recipients;
• transfers of personal data;
• the envisaged time limits for the erasure of the different categories of data;
• a general description of the technical and organizational security measures

It is possible to write this documentation manually, but the task is laborious for each treatment and here, the drafting has been pre-performed entirely:

Once the activity is added to the registry, it is then necessary to minimize the collected data.

Step 2: Minimize Collected Data

The GDPR requires the collection of the minimum amount of data from the data subjects (Art. 5):

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)

Therefore, it is necessary to reflect on the questions asked and ensure that they are adequate in relation to the objectives of the processing.

For example, for a company operating a home cleaning service:

• the quality of the cleaning: rating from 1 to 10
• the punctuality of the person: rating from 1 to 10
• the politeness of the person: rating from 1 to 10
• the name of the client or their identifier

These data are indeed objectively necessary for evaluating the service. Note that the data here are well minimized by using a rating from 1 to 10 and carefully avoiding a free text field which would open the possibility for clients to enter all sorts of data (comments unrelated to the work performed).

This is an important element of implementation.

Step 3: Display GDPR Information Notices

GDPR information notices are also important to display to the user, as this is part of the transparency obligations that organizations have when collecting personal data - the french CNIL has very detailed prescriptions in this regard.

To simplify things, it is necessary to clearly inform the user about what is done with their data, the reason for collecting it, and a series of other information such as the duration for which the data will be retained.

Legal notices can be generated automatically using GDPR compliance management software or drafted manually.

Step 4: Is Consent Necessary?

It is not necessarily required to obtain the consent of individuals whose data is processed if the questionnaire is part of a service provided by the organization.

Indeed, what the GDPR requires is to have a legal basis. Consent is one legal basis, but it is not the only one!

Article 6 of the GDPR provides 6 legal bases that authorize the collection of personal data:

• The consent of the individuals
• The contract, or pre-contractual measures
• A legal obligation
• The protection of vital interests of a person
• Public interest / public authority
• The legitimate interests of the data controller

In this respect, it is perfectly conceivable for the evaluation of a service, to rely on the “contractual” legal basis. That being said, beyond a service provided, consent will be the most appropriate legal basis for any general questionnaire (see here how to collect valid consent under the GDPR)

II. - Practical Example

To conclude, here is a practical example of a GDPR-compliant service evaluation questionnaire: