Guest user Created: Mar 26, 2021 Last commented: Mar 29, 2021

NPS form - GDPR Rules

My company wants to send an NPS form (created through a survey tool like SurveyMoneky) to some of our fortune 500 customers via emai. I have read that if we don't collect any personal data and conduct the survey anonymously then it would be ok to rely on a completely unmistakable notice along the lines of “by submitting this form you agree that we will process your data in line with our privacy policy. Is this correct? If we do decide to collect identifiable data, would the be enough for us to ask their consent via a pop-up where they can 'agree' or 'refuse' ? Of course with a link to said privacy policy to which they would agree or refuse? Could you please advise on the best practice for sending these type of NPS surveys via email to our customers in accordance to GDPR rules?

0 0

Assign topic to the user

Select user

Expert

Alessandra Nisticò Mar 29, 2021

Anonymized data are not ruled by the EU GDPR so you should insert the notice in which you claim that the survey is anonymized and any personal data will be collected. To insert this notice you must be sure that the system does not link the email of your client to the answer, nor the IP address is tracked and the data collected through the survey do not make identifiable the individual.

Otherwise, you need to collect consent and make a specific privacy notice. You cannot say that your personal data shall be processed under our privacy policy unless your privacy policy states how you process data collected through a survey.

The best practice is to draft a tailored privacy notice for the survey, where you define:

The purpose of processing (why you are collecting the information to provide a service? For marketing purposes? To develop a new product?)
The legal basis (which will be based on consent)
The data retention period (how long will you keep data? Consider that the controller must process data until the purpose of processing is reached. Online marketing is considered 12/24 months to be a fine period, but maybe data get old too soon and you don’t need to keep the results from the survey for so long
What kind of data you will collect: health? Income? Property? Location? Age?
If any data transfer outside the EU applies
The rights for the data subjects

Here you can find more information about consent and privacy notice:

Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
If you want to learn how to comply with EU GDPR requirements you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course//

Quote

0 1

Guest

guest Mar 29, 2021

Hi. Thank you for the reply. One last question. Am I allowed to use the emails of our clients that we regularly communicate for this purpose (NPS forms) without a formal consent from the recipient? Or do we have to ask them wheter they consent being sent an NPS survey via these emails? Thanks

Quote

0 0

Expert

Alessandra Nisticò Mar 29, 2021

If the purpose of processing is the same as that the email was given, you can use the emails. You need to evaluate if your clients can reasonably think that he/she is going to receive those surveys. If the answer is not, you will need consent, otherwise, you can send the NPS survey.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 26, 2021

Mar 29, 2021

Expert Advice Community