This is the survey data policy.
The following was taken from How to Write GDPR-proof Data Policies:
In a privacy policy page intended for survey or research project, you normally explain who you are (if your respondents don’t already know about you or your organization). Additionally your policy must clarify the type of personal data which is processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing.
So, these are the points that need to be explained in your text:
-
What you collect and how
In your text, explain what type of personal data you are collecting and how. Is it respondents email, name, or IP address? Is it simply by asking them questions, or are you collecting data automatically (for example their geo-location or IP address)?
-
Why you collect
Your privacy policy text must clarify your reasons for collecting personal data. Explain for instance why you need their email. Do you have good reasons for collecting their name or address?
-
How will you use their data
This is super important to let your respondents know how you are going to use their personal data. Are you going to share it with third parties? In that case, say who these 3rd parties are and why you need to share their data with them. If you ask for their contact info for instance, are you going to use it to contact them, or send them something?
-
How long will you keep their data
The GDPR requires you to define a so called “data retention” period, when you collect personal data. Thus your privacy policy text should explain how long you will retain the data. After your data retantion period is over, you must delete all collected data, even those which are shared with 3rd parties!
-
How secure is the data in your possession
Your privacy policy must also explain what security measurements are applied when you collect, export, share, and store personal data of your respondents. What tools are you using, and if your data processors are also taking the security of the data seriously.
-
Clarify your respondents rights
The GDPR clearly defines individuals rights for their own data. You must also make sure to reflect these rights in your privacy policy text, and inform your respondents about their rights, which are as follows:
- Right to access, view, and edit their own information in a timely manner
- Right to be forgotten, which means being deleted from your survey results
- Also right to be able to opt-out form your future messages (e.g. if you use their data to send them ads or marketing messages)
Keep in mind that data is owned by the respondents, not you or your company or organization.
-
Who to contact
Every organization that is collecting data from EU citizens must have a Data Protection officer. The DPO is a person in the organization who can represent the organization with respect to data and privacy issues. Including the DPO’s contact information in your privacy policy would be great for your respondents, in case then need to ask questions or practice their rights.