GDPR, Security, Survey Examples

How to Write GDPR-proof Privacy Policy for your Surveys (with examples)

As we explained in this article about GDPR-compliant surveys, an important part of having a GDPR-compliant survey is having a GDPR-compliant privacy policy. This guide helps you in writing a GDPR-compliant privacy policy for your surveys and forms.

The basics

The most important aspect of GDPR-compliant privacy policy texts is that they must be written in an easy-to-understand and simple way. Therefore, you should avoid using the commonly used jargon seen in legal texts.

So, a good privacy policy text for your surveys should be:

  • Short
  • Easy to read
  • Easy to understand
  • With no legal jargon

What should the privacy policy explain

For establishing trust and getting consent for your respondents you need to write a transparent and straightforward text.

In a privacy policy page intended for survey or research project, you normally explain who you are (if your respondents don’t already know about you or your organization). Additionally your policy must clarify the type of personal data which is processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing.

So, these are the points that need to be explained in your text:

  1. What you collect and howIn your text, explain what type of personal data you are collecting and how. Is it respondents email, name, or IP address? Is it simply by asking them questions, or are you collecting data automatically (for example their geo-location or IP address)?
  2. Why you collectYour privacy policy text must clarify your reasons for collecting personal data. Explain for instance why you need their email. Do you have good reasons for collecting their name or address?
  3. How will you use their dataThis is super important to let your respondents know how you are going to use their personal data. Are you going to share it with third parties? In that case, say who these 3rd parties are and why you need to share their data with them. If you ask for their contact info for instance, are you going to use it to contact them, or send them something?
  4. How long will you keep their dataThe GDPR requires you to define a so called “data retention” period, when you collect personal data. Thus your privacy policy text should explain how long you will retain the data. After your data retantion period is over, you must delete all collected data, even those which are shared with 3rd parties!
  5. How secure is the data in your possessionYour privacy policy must also explain what security measurements are applied when you collect, export, share, and store personal data of your respondents. What tools are you using, and if your data processors are also taking the security of the data seriously.
  6. Clarify your respondents rightsThe GDPR clearly defines individuals rights for their own data. You must also make sure to reflect these rights in your privacy policy text, and inform your respondents about their rights, which are as follows:
    • Right to access, view, and edit their own information in a timely manner
    • Right to be forgotten, which means being deleted from your survey results
    • Also right to be able to opt-out form your future messages (e.g. if you use their data to send them ads or marketing messages)

    Keep in mind that data is owned by the respondents, not you or your company or organization.

  7. Who to contactEvery organization that is collecting data from EU citizens must have a Data Protection officer. The DPO is a person in the organization who can represent the organization with respect to data and privacy issues. Including the DPO’s contact information in your privacy policy would be great for your respondents, in case then need to ask questions or practice their rights.

Examples of a privacy notice inside a survey

We have gone through the requirements of the GDPR for writing privacy policies, but what then does a privacy notice actually look like?

You can present your privacy policy in different ways. It could be a part of your survey’s welcome page, like the example below, which illustrates a fair way of getting consent for collecting none-sensitive data.

Example of a getting consent for non-sensitive data in a survey

 

However, if suitable for your case, you can split up your privacy policy and spread it within the survey, displaying information where they are most relevant. This helps you make reading your privacy policy less scary and less intimidating for readers, while letting them know how and why you are collecting their data.

In the example below, the privacy notice has become a part of obtaining consent from respondents, informing them about legitimate interests of the surveyor. The notice is presented at the point of data collection.

Tip:
This way you give the respondents the opportunity to agree with some parts of your privacy policy, not all of it. It’s a very good idea, because you can still collect other valuable information for your research and let respondents skip some parts of it.

Here at [organization name] we take your privacy seriously, and will only use your personal information to [explain your intentions (e.g. provide the products and services you request us / or enhance our service based on your feedback)].
However, from time to time we would like to contact you with details of other [specify products/ offers/ services] we provide.
* In such case, how would you like us to contact you

  • Post
  • Email
  • Phone call
  • Text message

We would also like to pass your details onto other [name of company/ companies who you will pass the information to], so that they can contact you by [e.g post, email, etc…] to [explain their intentions].
* Do you consent to us passing on your details for that purpose?

  • Yes
  • No
Tip:

Based on how respondents have answered your questions previously and what they have given their consent to, you can later present respective questions taking advantage of our smart survey logic flows. For example if they choose “Email” and means of contact, you can then show the “email question”.

Below is another example of how you can divide up your privacy policy and embed it inside the survey itself.

What is your full name?

We need this to be able to verify your membership at our institute.

What is your email address?

From time to time we would like to contact you with details of other [specify products/ offers/ services] we provide. To do so, we need your email.

This information helps our partners to [explain their intentions].

What is your postal address?

This information helps our partners to [explain their intentions].


Conclusion

When you ask respondents to provide their personal information, they may sometimes feel a bit guarded and doubtful. However, by disclosing your privacy policies up front, you’ll not only increase your response rates by immediately putting your respondents at ease, but also do your research more professionally and according to law.

Writing a GDPR-compliant privacy policy text is super easy if you just cover the points that we explained above.

Also, as shown in our examples above, you can make the policy less scary and more easily-understood if you divide it up and spread it within your survey, showing relevant parts of it at the point of data collection.

 

About the Author
I eventually grew up after painting on many walls, getting too many scars, watching loads of animated movies, taking care of lots of injured animals, and inventing crazy strategies to bypass the "dictatorship" of the adults, and got a B.A. in Psychology. Shortly after, I grew up a bit more and got two M.A. degrees in art & design. Today, after growing up slightly more, I realize that I've been working with many companies and brilliant people, inventing new tech solutions, designing & coding cool stuff, making cute illustrations; while still truly enjoying, loving, and adoring the mother nature and all amazing cuddly creatures out there.