Personal data (PII)

Picture this: a marketer launches a customer survey. The last question reads, "Leave your email so we can follow up with the results." Three hundred people enter their addresses.

A month later the company receives a complaint with the data-protection authority: one of the respondents claims their data is being processed without consent. The marketer is baffled: "But they typed in the email themselves!" Yet "typing it in" is not the same as "giving consent to processing." Data-protection law requires consent that is specific, informed, and freely given: exactly what is collected, why, who processes it, and how long it is stored. A single email field is not enough. For anyone who runs surveys — and especially for anyone collecting contact details — understanding data-protection law is not optional, it is mandatory.

What personal data is

Personal data (also called personally identifiable information, or PII) is any information relating to a directly or indirectly identified or identifiable natural person (the data subject). Data-protection laws such as the GDPR set the rules for how it is collected, stored, processed, and transferred.

What counts as personal data? Not just a full name and ID documents. It is any information that can be used to identify a specific individual:

• Full name, date of birth, address
• Email, phone number
• IP address, cookies (in a context that allows identification)
• Photos, video recordings
• Data about health, political views, religion (special categories — subject to stronger protection)
• A combination of data: "male, 34, chief accountant, in a mid-sized city" — may be enough for identification

The key test: if a set of data points can reveal who exactly a person is, it is personal data. Even if each parameter on its own is anonymous.

What this has to do with surveys

Surveys are one of the most common tools for collecting information about people. And almost every survey touches personal data in one way or another.

Direct collection of personal data. The questionnaire asks for a name, email, phone, job title, or company name. These are obvious personal data.

Indirect collection. The questionnaire is anonymous, but you send it out to an email list — which means you know who you sent it to and who responded (from the metadata). Or you pass a customer ID through a hidden variable, letting you link the response to a profile in your CRM.

Accidental collection. In an open text field a respondent writes on their own: "My name is John Smith, my number is 555-123-4567, please call me back." You didn't ask — but you received the data, and now you are obliged to protect it.

If your survey collects even one element that can identify a person, you are a data controller and must comply with data-protection requirements.

What data-protection law requires when running surveys

1. The subject's consent

The core requirement: the subject must give consent to the processing of their personal data. Consent must be:

• Specific — stating exactly which data is collected.
• Informed — the subject knows who is collecting it, why, how it is processed, and to whom it may be passed.
• Clear — not buried in fine print in a corner, but presented in an understandable form.
• Freely given — you cannot make participation in the survey conditional on mandatory provision of personal data (unless it is necessary for the purpose of processing).

In online surveys this is usually done through a checkbox with a consent statement before the questionnaire begins or before any questions that ask for personal data. SurveyNinja has a built-in element — a personal-data processing consent — that can be added to a questionnaire in a couple of clicks.

2. Defining the purpose of processing

You are required to state why you are collecting the data. "To improve service quality" is acceptable but vague. "To handle feedback about an order and to contact the customer if clarifications are needed" is more specific and more defensible. The purpose sets the boundaries: if you collected an email to follow up on survey results, you cannot use it for a marketing newsletter without separate consent.

3. Data minimization

Collect only the data that is necessary for the stated purpose. If the goal is an anonymous satisfaction assessment, asking for a full name and phone number is excessive. This principle (data minimization) protects both the respondent and you: the less personal data you store, the lower the risk in the event of a breach.

4. Where data is stored

Many data-protection regimes restrict where personal data may be stored or transferred — for example, the GDPR limits transfers of EU residents' data outside the European Economic Area unless adequate safeguards are in place. This matters when choosing a survey platform: if a service stores data in a jurisdiction without proper safeguards, there is a risk of breaking the law.

5. Ensuring security

The controller is obliged to take technical and organizational measures to protect personal data: encryption, access control, logging, backups. For most companies this means: choose a platform that already provides these measures, rather than building the infrastructure yourself.

6. Privacy policy

A document describing exactly how you process personal data must be published and available to the subjects. Usually this is a link in the footer of the questionnaire or on the company website.

Anonymous surveys and data-protection law

If a survey is truly anonymous, data-protection law does not apply, because there is no subject (it is impossible to determine who responded). But "anonymous" is a strict requirement:

• The questionnaire asks for no personal data at all (no email, no phone, no name).
• Responses are not tied to identifiers (no hidden variables with a client_id).
• Metadata does not allow identification (IP addresses are not stored or are anonymized).
• The combination of answers does not reveal an individual (if a company has a single 58-year-old male accountant from a small town, his answer in an "anonymous" HR survey is de facto not anonymous).

If even one condition is not met, the survey is not anonymous, and data-protection requirements apply in full.

Employee surveys: special nuances

HR surveys are a higher-risk area, because employees often doubt their anonymity.

The trust problem. Even if a survey is technically anonymous, employees may not believe it — and give socially desirable answers. Or not participate at all. Transparency is key: explain exactly how anonymity is ensured, who sees the data, and in what form (aggregated only, with no way to identify a specific person).

Small teams. If a department has 3 people and you segment by department, anonymity is effectively gone. Set a minimum threshold: results for a segment are shown only if it contains at least 5–10 responses.

Consent in the context of an employment relationship. An employee may feel pressure to take part in a survey (even though participation is formally voluntary). This creates a legally ambiguous situation around the "freely given" nature of consent. Best practice: make participation genuinely optional and do not track who completed it and who did not.

Practical recommendations

Add a consent element to every survey that collects personal data. It takes 30 seconds in the builder and protects you from legal claims. In SurveyNinja a consent element is a standard feature with customizable text.

If you don't need personal data, don't collect it. The most reliable way to comply with data-protection law is to stay out of its scope. An anonymous survey with no personal data collection carries zero legal risk. Ask yourself: "Do I really need the respondent's email?" If the answer is "to send them the results," maybe it is enough to show the result on screen?

Choose a platform that meets your data-residency requirements. Check where the provider stores data and whether it aligns with the regulations that apply to you. SurveyNinja lets you keep data where you need it, and for organizations with heightened security requirements a box (on-premises) version is available — installed on your own servers with full control over the data.

Separate personal data from responses during analysis. If you need contact details to follow up, store them separately from the answers. Run analytics on de-identified data. This reduces the risk in a breach and makes it easier to honor the minimization principle.

Limit the retention period. Personal data should be stored no longer than necessary to achieve the purpose of processing. Once the survey is finished, the data is analyzed, and the report is ready, personal data from the responses should be deleted or anonymized. Set an internal policy: for example, personal data from surveys is kept for no more than 12 months.

Train the team. The marketer, the HR manager, the analyst — everyone who creates and processes surveys should understand the basic data-protection requirements. This is not a lawyer's job, it is operational hygiene, like washing your hands.

Fines and liability

Violating data-protection law carries serious consequences. Under the GDPR, for instance, fines can reach up to 20 million euros or 4% of a company's global annual turnover, whichever is higher, and regulators have stepped up enforcement in recent years. Ignoring the requirements is a risky strategy, especially for large-scale surveys with thousands of respondents.

Data-protection law is not a bureaucratic obstacle but a safeguard for the trust between you and your respondents. When someone fills in your questionnaire and leaves their data, they are trusting you. Complying with the law is the minimum way to honor that trust. And for the business, it is a way to avoid fines, reputational damage, and the loss of an audience that no longer believes its data is safe.