BLACK FRIDAY DISCOUNT
Get 30% off on toolkits, course exams, Conformio, and Company Training Academy yearly plans.
Limited-time offer – ends December 2, 2024
Use promo code:
30OFFBLACK

Expert Advice Community

Guest

NPS form - GDPR Rules

  Quote
Guest
Guest user Created:   Mar 26, 2021 Last commented:   Mar 29, 2021

NPS form - GDPR Rules

My company wants to send an NPS form (created through a survey tool like SurveyMoneky) to some of our fortune 500 customers via emai. I have read that if we don't collect any personal data and conduct the survey anonymously then it would be ok to rely on a completely unmistakable notice along the lines of “by submitting this form you agree that we will process your data in line with our privacy policy. Is this correct? If we do decide to collect identifiable data, would the be enough for us to ask their consent via a pop-up where they can 'agree' or 'refuse' ? Of course with a link to said privacy policy to which they would agree or refuse? Could you please advise on the best practice for sending these type of NPS surveys via email to our customers in accordance to GDPR rules?
0 0

Assign topic to the user

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Mar 29, 2021

Anonymized data are not ruled by the EU GDPR so you should insert the notice in which you claim that the survey is anonymized and any personal data will be collected. To insert this notice you must be sure that the system does not link the email of your client to the answer, nor the IP address is tracked and the data collected through the survey do not make identifiable the individual.

Otherwise, you need to collect consent and make a specific privacy notice. You cannot say that your personal data shall be processed under our privacy policy unless your privacy policy states how you process data collected through a survey.

The best practice is to draft a tailored privacy notice for the survey, where you define:

  • The purpose of processing (why you are collecting the information to provide a service? For marketing purposes? To develop a new product?)
  • The legal basis (which will be based on consent)
  • The data retention period (how long will you keep data? Consider that the controller must process data until the purpose of processing is reached. Online marketing is considered 12/24 months to be a fine period, but maybe data get old too soon and you don’t need to keep the results from the survey for so long
  • What kind of data you will collect: health? Income? Property? Location? Age?
  • If any data transfer outside the EU applies
  • The rights for the data subjects

Here you can find more information about consent and privacy notice:

Quote
0 1
Guest
guest Mar 29, 2021

Hi. Thank you for the reply. One last question. Am I allowed to use the emails of our clients that we regularly communicate for this purpose (NPS forms) without a formal consent from the recipient? Or do we have to ask them wheter they consent being sent an NPS survey via these emails? Thanks 

Quote
0 0
Expert
Alessandra Nisticò Mar 29, 2021

If the purpose of processing is the same as that the email was given, you can use the emails. You need to evaluate if your clients can reasonably think that he/she is going to receive those surveys. If the answer is not, you will need consent, otherwise, you can send the NPS survey.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 26, 2021

Mar 29, 2021

Suggested Topics