Guide · Privacy
GDPR-compliant surveys: the practical guide
Whenever a questionnaire collects a name, an email or an opinion that can be traced back to a person, it falls within the scope of the GDPR. The good news is that making a survey compliant isn’t complicated: it takes a few choices made well from the start. This guide sums up the points that matter and what to check in the platform you’ll use.
1. Identify the legal basis
Before collecting responses you need to know why you’re entitled to process that data. For most surveys the basis is the respondent’s consent, which must be free, specific and revocable at any time. In research or institutional contexts other bases may apply (legitimate interest, public-interest task): the choice must be justified and documented.
2. Provide a clear privacy notice
Respondents have the right to know who processes the data, for what purpose, how long it will be kept and how to exercise their rights. The notice (art. 13) must be shown before completion, in plain language. A good platform lets you attach it to the questionnaire and require explicit consent where needed.
3. Mind special-category data (art. 9)
Data on health, orientation, beliefs or ethnic origin are “special categories” and require reinforced safeguards. This is crucial in healthcare research and academic studies: collect only what you truly need (minimization) and consider whether anonymous collection is enough for your purpose.
4. Anonymous when you can
A truly anonymous questionnaire — recording no name, email, IP or device fingerprint — drastically reduces obligations and risks, and encourages more honest answers on sensitive topics. But the difference must be real and verifiable: some platforms claim anonymity while still collecting technical metadata.
5. Guarantee data-subject rights
People can ask to access, correct or delete their data. The platform must let you find a person’s responses and export or erase them on request, without complicated manual work.
6. Define retention and deletion
The GDPR requires not keeping data longer than necessary. Set a retention period and, better still, choose a tool that automatically deletes or anonymizes responses when the term expires.
7. Where the data ends up
This is the most overlooked and often the most delicate point: many widespread platforms process data on servers in the United States, which must be declared in the notice and handled with proper transfer safeguards. Choosing a platform that stores data entirely within the European Union removes the problem at the root.
How Sunset helps
Sunset is built for compliance from the ground up: data stored in the EU (Frankfurt), a cookieless respondent runtime, per-survey configurable notice and consent, truly anonymous and verifiable collectors, per-person response search and deletion, and automatic retention per organization. Compliance isn’t a paid add-on: it’s how the platform is built.