How to create GDPR compliant surveys?

GDPR Compliant Survey Examples

General Data Protection Regulation (GDPR) is one of the most significant changes that are about to happen in the area of data privacy. Under this regulation, data is to be coordinated, shielded and commissioned for all the European citizens.

Online surveys are an integral tool to collect data and with GDPR survey coming into being, it has become extremely critical to make them GDPR compliant as well. In this blog, we discuss the measures taken to ensure QuestionPro survey users create 100% GDPR compliant surveys.

Click here to learn about GDPR data collection

How to create GDPR compliant surveys with QuestionPro:

Ensure your organization is GDPR compliant 

  • Login to your QuestionPro Account 
  • Go to Account > Compliance >> GDPR tab 
  • Checkbox: ON / OFF – GDPR Compliance.


NOTE: The GDPR compliance button is turned on by default if we are on our EU servers. However, other DC users might have to turn it on manually as shown above. (The effect of GDPR survey settings is at an organizational level, not user level.)
  • Once you switch on the button to enable GDPR compliance, you will be redirected to a new page


  • Fill in the information of the Data protection officer appointed in your organization.
  • Fill all the information including name, office, email, phone number, and all such mandatory details. 
  • Hit ‘Save Changes’
    • To edit the privacy policy click on ‘Policy’ and update the GDPR field guidelines such as Data retention, Use of Data, Sale of Data, Contacting individuals. 
    • Ensure all updated information clearly conveys the reason for which you are conducting the survey, what you plan to do with the collected data, and how long do you intend to save the respondent data. 
    • Deletion requests’ displays the details of the respondent who do not wish to share his/her information with you or wants his/her personal data removed from your database.


  • Every organization intending to have GDPR compliant surveys must have a Data Protection (DP) Officer:

For any organization to have a successful data collection process in place, they need to have a DP officer. This will be an authorized person with the knowledge of data and privacy issues and the details of this person like office, name, email and contact information needs to be filled in from Account > Organization > GDPR.

This information goes into the survey footer. Especially in the case of Enterprise customers using edge support look for DP officer to represent their organization provided they have an edge support agreement.

  • The data retention period for the survey data:

The GDPR compliant surveys relations specify that all the organization looking for compliance, have to clarify the tenure for which respondent data will be retained. If an account is active and consistently paid for, QuestionPro has an infinite reservation period. In case an account is abolished willingly or unwillingly, we provide a buffer period of 30 days after which the user data will be eliminated from our servers.

Under GDPR, every organization needs to have their own data retention rules, these are ours. We provide our own language and data protection policy and so should every other organization and mention it clearly in their surveys.

  • Allow users to access the collected data:

GDPR compliant surveys enforce the fact that every respondent should be able to read and also download their data in readable formats. We allow users to corresponding user metadata along with downloading it like IP address, information about browser and others.

To make sure the download is also GDPR compliant survey tool, users can make the download in either PDF or JSON format.

  • Full proof your survey data from any breaches:

GDPR allows every organization to select a Lead Supervising Authority, and as QuestionPro has its presence across Europe, we have chosen Dutch – DPA which for data collection and supervision, especially due to our physical presence in the Netherlands. Due to this, in case there exists some data discrepancy, we have to report it to the DPA authorities in the Netherlands.

There may occur cases where our customers feel the need to have their selected DPA. So, in case of any theft or breach of data, they can contact their own DPA as soon as we get in touch with them about it.