1. Do privacy statements need to be translated for each EU country being surveyed?

Our recommendation is to at least translate it in all the languages the survey is deployed in. For example, if you are deploying surveys in English, French and German - our recommendation is that the GDPR privacy and compliance be translated in those 3 languages at least. This is not a hard requirement, but it's our recommendation. This effectively captures the spirit if the “Informed Consent” articles of GDPR.

2. Does GDPR apply to surveys that are anonymous and identifiable data is not collected?

We think that this does apply. The EU courts have ruled that IP address is “Personal Data” - so it would almost impossible to do an online survey where IP address is not used or collected.

3. Is a DPA required from panel providers?

Yes. Our position is that, if you are contracting with Panel Providers to redirect users - they must have a DPA with you. In cases where you are already using QuestionPro Audience to fill out your surveys, you don’t need one - because the overall DPA with QuestionPro and you will cover that automatically.

4. Does the GDPR Compliance in QP has to be enabled and filled in if the QuestionPro tool is used solely in the US for customers in the US?

No - If you are based in the US and all your respondents are in the US - GDPR does not really apply to you. That is why, we’ve made the GDPR compliance an optional feature on our system. This is typically mandatory for EU companies or companies collecting data from EU residents.

5. What if the responder is a EU citizen not resident in the EU? Do these rules still apply? If so, can we simply exclude EU citizens from our sample?

In general, this becomes a matter of jurisdiction. GDPR applies to all EU residents - independent of citizenship. So, if you have EU citizens in - say Singapore - they will not have the same protection. We would argue that you exclude EU residents from your sample, if you don’t want to have GDPR affect your research.

6. Who is the Questionpro DPO?

The QuestionPro DPO is listed here :

7. Are you seeing any local or state governments concerned about GDPR and can you share some examples?

So far US State and Local governments are not materially affected by GDPR. Partially because most United States state, local and federal agencies have their own data-protection and human subjects research rules that they need to abide by. In many cases this might even conflict with GDPR regulations. Therefore, we would advise that US Gov agencies (Federal, State and Local) continue to look to internal legal counsel for guidelines.

8. Do I, as a QuestionPro customer, have to enter our DPO's contact information as well?

Yes - You do. We have screens for you to enter in your Data Protection Officers’ contact information. This will be displayed to the survey respondent if they choose to contact you regarding their data or privacy.

9. How does one identify a breach? Is this when the consumers complain or there needs to be regular check mechanisms?

GDPR does not really go into the mechanisms that must be in place for identifying breaches like IDS (Intrusion Detection Services) devices. It however mandates that consumers / affected parties be notified within 72 hours of a company identifying a breach. The regulation is around disclosure of the breach. It is expected that companies take security precautions and have a layered security approach to data - but that’s a technical issue and not a regulatory issue.

10. How do you identify a user requesting a delete? Based on email address?

We store cookies on the respondent’s browser instance. Not all surveys are sent via emails. We consider this as the point of interaction - the online browser experience. Using the cookies, we identify all the surveys the respondent has taken - and give them the option of requesting a delete or even view the data that the respondent has provided.

11. Is there a mechanism to auto-delete or auto-approve the workflow requests for deleting the responses?

At this point - No. We are intentionally making the process manual when we start off. Over time, as the GDPR regime take hold and depending upon the volume of RTBF (Right to be Forgotten) requests that come through, we probably will enable tools for our customers to auto-approve requests.

12. If as respondent takes surveys from multiple customers (of QuestionPro) how will the delete workflow work?

When a respondent see’s all the surveys - that he/she has taken via QuestionPro, they have the option of deleting a single response or all their data.
If its a single response - then the workflow for that Survey Admin will be triggered i.e. an email will be sent to the QuestionPro customer that own and administers that survey.
If the respondent requests all his data be removed, multiple workflow emails will be sent - depending upon, if each of the QuestionPro customers have turned on GDPR compliance or not.
In all cases however, QuestionPro will automatically remove all the cookies associated with user immediately.

13. Much of the published work has been on roles, staffing, and contracts. Given that this is a data issue at its heart, can you please cover the ways in which data needs to be secured and transmitted in order to be compliant with GDPR?

GDPR specifically does not require a standard for storage of data and more importantly any threshold for encryption. However, GDPR states that there must be “data protection by design” - we interpret that to be encryption both at rest as well as in-flight. What this means is that data moving between systems must be encrypted and then when data is stored in any system, it must be encrypted at rest. We believe that if those two roles are followed, then we comply with the “data protection by design” mandate.
Some practical considerations are - using SSL and SSL ONLY for all data transfers - this includes SFTP and HTTPS as the two dominant protocols for moving data between systems. When data is stored (in databases or hard drives) - there must be protections in place for that data not to be visible or available without a user generated key or at least a system generated key.
At QuestionPro, we have automatically moved all our Survey URL’s to SSL. So any data that the respondent gives is via a secure channel. All data that gets transmitted from QuestionPro servers to local machines (customer) is also secure via the same SSL mechanism. Data that is stored in QuestionPro servers are automatically encrypted at the database/storage level. So, data is only available and exposed through the os/application layer.
If customers are downloading data into laptops/computers, we recommend that clients use local storage encryption for encrypting the files / file-system that can only be unlocked based on a login/password. This will fulfill the “protection by design” philosophy.

14. If a respondent deletes his response, wouldn't that affect the results being collected?

The respondents can not directly delete the data. They can submit a request for deletion which the survey owner can then approve.

15. Is there a minimum license level for GDPR compliance?

No, GDPR compliance is available for all users.

16. Is the data protection officer assigned in QuestionPro?

Yes. You can assign your own DPO from My Account -> Compliance -> GDPR

17. Does the data protection officer need an account on QuestionPro?


18. Does data have to be stored on EU servers for GDPR compliance?


19. If the respondent deletes his responses, is it actually deleted from QuestionPro data centers?

No, they survey owner will have to approve the deletion request, then the response will be deleted from the data center

20. Is the administrator of the survey notified in case a response is deleted?

Yes, the administrator will get an email notifying about the deletion request.

21. If the GDPR setting is turned on, is it on for all respondents regardless of location?


22. When a respondent requests their data to be deleted via a survey do they only see the data associated with that specific survey or do they see their responses for all other surveys?

We’re tracking the responses based on cookies, so the respondents will see all their responses for which cookies are present.

Was this article helpful?
Sorry about that
How can we improve it?