Data Protection & GDPR in Surveys: Guide & Templates

Would you give personal data like your name, age, profession, or information about your health status to a complete stranger on the street? Let us guess: probably not without a good reason and only if you know exactly what will happen to your data. Completely rightly, data protection in Germany and especially in science has always been a major topic.

Since the new General Data Protection Regulation (GDPR) came into force on May 25, 2018, all companies, organizations, and website operators must now seriously consider how they process personal data of their users. If you want to create a survey for your research work, engaging with current GDPR requirements is therefore unavoidable.

 

Quick overview: Personal data & data protection

In online surveys, research is typically conducted using personal data of respondents. According to the Federal Data Protection Act, this refers to information relating to any natural person that allows conclusions about their physical, physiological, genetic, mental, economic, cultural, or social identity.

The collection, processing, or use of such data is subject to data protection regulations in order to protect the affected persons from data misuse.

The following information is classified as personal data according to the law:

• General personal data: name, age, address, profession, education level, place of birth, email address
• Physical characteristics: gender, skin color, weight, height, hair and eye color
• Various identification numbers: ID number, health insurance number, account number, social security number, or tax identification number
• Customer and profile data: app data, search engine history, order history, IP addresses, location data, and database entries

 

Legally, research with personal data is generally only possible if such data is collected anonymously or if explicit consent from the affected persons exists.

Furthermore, there is another category of personal data that is particularly sensitive and therefore subject to even stricter legal regulations. These so-called special categories of personal data include:

• Information about ethnic, religious, or political affiliation
• Information about sexual orientation
• Genetic, health, and biometric data

 

In this case, collection, gathering, and processing is exclusively possible with the consent of the respondents!

In both cases, the following applies: Anyone who does not comply with the legally prescribed data protection regulations when handling personal data can face high fines or other sanctions. These legal provisions also apply if the personal data is not presented as text but as photo, audio, or video material.

Data protection in a survey: handling personal data

In surveys, persons are questioned either in open interviews (= qualitative surveys) or with standardized questionnaires (= quantitative surveys) about their views, attitudes, or living conditions. These persons must not be harmed by the survey, which is why the fundamental right to informational self-determination applies here.

To ensure your survey complies with legal data protection regulations, you must follow these rules:

• Personal data may only be collected for a specific purpose – and those affected must explicitly consent to this purpose.
• Personal data must be deleted when no longer needed for research purposes or as soon as respondents request deletion.
• Personal data is subject to data confidentiality and may not be passed on to third parties without the consent of respondents.

 

The European GDPR regulations are based on a legal principle according to which a specific action is generally prohibited unless explicit permission is granted (= prohibition with permission requirement). In most cases, you will therefore need a written consent declaration from those affected in order to work with personal data in surveys.

When using survey tools, you must also ensure that they comply with European data protection regulations and do not unlawfully sell your participants' data to third parties. Especially with services that have servers outside the EU, you need to be careful: depending on where a software provider's server is located, that region's data protection regulations also apply.

 

Consent declaration in surveys: a checklist

A consent declaration is typically presented at the beginning of most surveys. This not only protects you legally but also signals to your participants that you take their privacy seriously.

A good consent declaration should contain the following information:

• Identity and contact information of the researcher
• Specific purpose of collection, processing, and use of personal data (e.g., specific research project)
• Type of processing (e.g., a survey)
• Notice of confidential handling of personal data
• Note on the voluntariness of information and the possibility of revoking consent

 

A consent declaration does not have to be complicated either. Most importantly, your participants must be aware of what data is being collected and what it will be used for.

Attention: Some scientific fields, e.g., in medical or psychological research, may under certain circumstances use personal data without consent. Legal exceptions for such cases are governed by the Basic Law regarding freedom of research.

In general, you can always assume that for most research projects, the personal fundamental right to informational self-determination continues to apply when processing data. A consent declaration is therefore often the only legally safe way to work with personal data!

 

Anonymous survey: possible at all?

The GDPR generally only applies if you collect personal data in the first place. At the same time, the data protection law provides for a concept of anonymization, with which personal data in research can be collected without a consent declaration. Absolute anonymization is only spoken of when it is excluded in any way that the collected data can be traced back to an identifiable person.

However, it is controversial in research whether such absolute anonymization is even possible. While there are various methods that can anonymize identification features, they are both time-consuming and costly – and usually not 100 percent reliable. Therefore, completely anonymous surveys, especially in smaller studies such as those conducted as part of a thesis, are rather unlikely.

In most cases, research is conducted using pseudonymization or data encryption, which in turn is subject to the data protection regulations described above. Additionally, especially the study of personal data is essential for many research purposes, such as when demographic information about respondents is needed to compare answers.

 

GDPR in science: meaningful protection of privacy?

In the course of digitalization, personal data is stored in most socially relevant areas. In many research fields, this has made it possible to carry out collection, storage, evaluation, and analysis of large amounts of data faster and more precisely than ever before.

Meanwhile, European laws ensure that a uniform and binding foundation is created so that collected data cannot be misused. Although dealing with data protection and consent declarations in the context of scientific surveys may seem tedious, these legal measures ultimately benefit all involved.

Ultimately, this ensures that research remains safe and fair, without respondents having to worry about data and address trading as well as identity theft. In science, where the human being and their needs are at the forefront, researchers were already interested in protecting the privacy of their participants!

 

Further reading

Scharler, Thomas (2019). Data Protection Compact: GDPR for Website Operators including Checklists. Norderstedt: Books on Demand.

Solmecke, Christian/Sibel Kocatepe (2018). GDPR for Website Operators: Your Guide to Safely Implementing the EU General Data Protection Regulation. 2nd expanded edition. Bonn: Rheinwerk Verlag.

Voigt, Paul/Axel von dem Bussche (2018). EU General Data Protection Regulation (GDPR): Practitioner's Handbook. Berlin: Springer.

Watteler, Oliver/Thomas Ebel (2019). "Data Protection in Research Management." Research Management of Social Science Survey Data. Ed. Jensen, Uwe et al. Opladen/Berlin/Toronto: Verlag Barbara Budrich.