SurveyGizmo GDPR Command Center

GDPR 101

Applicable to EU-based businesses and any business that controls or processes the data of EU citizens are required to comply with GDPR starting May 25, 2018 and beyond. This set of laws is the latest effort to ensure everyone has control of their data, and knows exactly where and how it’s used – requiring individual consent.

We are a business of data integrity

With SurveyGizmo, you can have a peace of mind that data is collected, stored, and processed with the appropriate levels of sensitivity – always meeting or exceeding GDPR compliance.

Centralized information always accessible

This is our central space where all things GDPR are monitored. Stay informed with our GDPR compliance and ongoing data privacy initiatives centralized here.

Disclaimer: While we confer with counsel and in-house compliance and security on various data privacy policies and regulations like the GDPR, do not mistake this information to be a substitute for legal advice.

Latest GDPR News & Resources

SurveyGizmo GDPR Commitment

SurveyGizmo’s Commitment to GDPR

SurveyGizmo is undertaking a number of efforts to not only comply with but to exceed the spirit of the regulation.

Read the Details
Time for GDPR

Time For GDPR: Here’s How It Could Help The Bottom Line

Recently published in Forbes.

Read the Details

SurveyGizmo and GDPR


Information We Hold

We have conducted data audits to map data flows.

We have documented what personal data we hold, where it came from, who we share it with, and what we do with it.

Accountability and Governance


We have appropriate data protection policies, controls, and contracts.

Local Representative

We have nominated a data protection lead and will have a local representative assigned.

Management Responsibility

Decision makers and key people at SurveyGizmo have demonstrated support for data protection legislation and promotes a positive culture of data protection compliance across the business.

Information risks and data protection impact assessments

SurveyGizmo manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

Data Protection by Design

SurveyGizmo has implemented appropriate technical and organizational measures to show we have considered and integrated data protection into our processing activities.

Training and awareness

SurveyGizmo provides data protection awareness training for all staff.

Data processing contracts

SurveyGizmo only processes data on the documented instructions of a controller and there is a written contract outlining the respective responsibilities and liabilities of the controller and our business.

The use of sub-processors

SurveyGizmo has sought prior written authorization from the controller before engaging the services of a sub-processor, and there is a Data Processing Addendum (DPA) in place.

Operational base

SurveyGizmo operates inside and outside of the EU.

Breach notification

SurveyGizmo has effective processes to identify and report any personal data breaches to its controller.

SurveyGizmo has hundreds of robust features built and refined with data privacy in mind. Here are some of our favorites to use for GDPR compliance:

Feature availability depends on account license type. Check our Feature List for more details.

Visit our Documentation library to learn about the specifics of each and every SurveyGizmo feature.

The right to be informed.

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under GDPR.

The right of access.

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.

The right to rectification.

Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organizations have one calendar month to respond to a request.

The right to erasure.

Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.

The right to restrict processing.

Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organizations are permitting to store the personal data, but not use it. Organizations have one calendar month to respond to a request. This right is not absolute and only applies in certain circumstances.

The right to data portability.

Individuals can obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This right enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.

The right to object.

Individuals have the right to object to:

  • Data processing based on legitimate interested or the performance of a task in the public interest/exercise of official authority (including profiling);
  • Direct marketing (including profiling);
  • Data processing for purpose of scientific/historical research and statistics.
Rights in relation to automated decision and profiling.

This right protects individuals if organizations are carrying out solely automated decision-making that has legal or similarly significant effects on them.

What happens when I make a data rights request as a survey respondent?

SurveyGizmo will identify the Controller of your information (our customer) and will convey your request to them. As they own and control your data, they are responsible for taking requested actions.

Why do you need my email address and the survey link when I make a request?

The link is used to identify the customer who sent you the survey, and in turn, is responsible for ensuring your request is honored.

What happens when I make a data rights request as a survey creator?

We will make all reasonable attempts to comply with your request directly. However, please understand that some information may not “forgotten” as a Customer, due to our obligations to be able to contact you.

What if I need additional information about my company’s GDPR compliance?

It is recommended that you confer with counsel to ensure your specific requirements under GDPR and other international law are followed. SurveyGizmo can only assist with meeting compliance requirements by providing controls to aid in meeting obligations.

What does SurveyGizmo do with the information I provide in a survey?

SurveyGizmo only provides the platform used by our customers to conduct surveys. The individual responses to surveys are the property of the survey creator. SurveyGizmo does not interact with your data except where explicitly permitted by the customer.

Does GDPR replace Privacy Shield compliance controls?

No, GDPR and Privacy Shield work in parallel and are created/maintained by different regulatory bodies. SurveyGizmo is committed to ensuring compliance with both programs.

Registered office: 4888 Pearl East Circle, Suite 100W, Boulder, CO, 80301 USA