SurveyMonkey and GDPR Compliance

SurveyMonkey is complying with the General Data Protection Regulation (GDPR) and our features help you to be compliant.

The GDPR took effect on May 25, 2018. This regulation standardizes data privacy laws across the European Union (EU). You may be entitled to exercise GDPR rights and we'll do our best to help customers comply with requests you may get from your respondents.

TIP! Enter into a Data Processing Agreement (DPA) with SurveyMonkey.

Jump to...


GDPR Overview


Under GDPR, EU data subjects are entitled to exercise the following rights:

  • Right of Access: Find out what kind of personal information is held about you and get a copy of this information.
  • Right of Rectification: Ask for your information to be updated or corrected.
  • Right to Data Portability: Receive a copy of the information you've provided under contract so you can provide it to another organization.
  • Right to Restrict Use: Ask for your personal information to stop being used in certain cases, including if you believe that the personal information about you is incorrect or the use is unlawful.
  • Right to Object: Object to use of your information where a party is processing it on legitimate interest basis, and object to have your personal information deleted.
  • Right to Erasure (also known as Right to be Forgotten): Request that your personal information be deleted in certain cases.


Data controllers determine how personal data is processed, data processors process personal data on behalf of a data controller, and data subjects are persons whose personal data is collected or used.

Data controllers within or outside of the EU are required to respond to requests from EU data subjects who ask to exercise their GDPR rights.

  • Account holders are data controllers of the response data they collect, while SurveyMonkey is the data processor of this data.
  • SurveyMonkey is a data controller of very limited data about respondents—we may use data including cookie data and IP address for specific purposes as described in our Privacy Policy.
  • For data subjects like account holders and site visitors, SurveyMonkey is the data controller of certain personal data including name, email address, and digital identifiers like a cookie ID or IP address, among other things. We describe in detail the data we collect, how we use it, and how long we retain it in our Privacy Policy.


Account Holders

Account holders can be either individual survey creators or organizations who own a SurveyMonkey account with multiple users. You can view, edit, delete, and download some of your data directly in your account, or you can contact us to exercise your rights under GDPR.

These articles can help you manage your personal data:

Deleting your account may not remove all your personal data from SurveyMonkey. If you want to exercise your right to be forgotten, contact us so we can help.

SurveyMonkey account holders within or outside of the EU are required to respond to GDPR requests from EU data subjects who ask to exercise their rights.

Account holders are responsible for ensuring surveys are GDPR compliant, as necessary. We suggest using features to make responses anonymous to avoid collecting personal data and informing survey-takers about how you plan to use survey data by adding a consent statement, and we encourage you to seek your own legal advice to comply with the GDPR.


Respondents & Panelists

Survey respondents and panelists are people that answered a survey sent by an account holder. You should contact the account holder who is responsible for editing, deleting, or giving you a copy of your responses.

If you're unable to get in touch with the account holder, please contact us with the following:

  • Survey link, email invitation, or web page you used to take the survey
  • Approximate date and time you took the survey
  • Your name and email address
  • Any response you provided that can be used to identify you

Since SurveyMonkey is not the data controller of response data, we can't directly handle these types of GDPR requests, but we'll help you identify and put you in contact with the account holder.


Site Visitors

A site visitor can be anyone that visits a SurveyMonkey webpage. Site visitors can delete personal data we might have stored about them at anytime by clearing cookies, opting out of cookies, and unsubscribing from marketing emails.

Other Communications

If you've communicated with SurveyMonkey via email or other channels not listed here, and you want to exercise your GDPR rights, contact us. We may ask you to verify your identity and for info about the communications you received so we can complete your request.


Handling GDPR Requests

How account holders can comply with GDPR requests

As an account holder, you're required to respond to requests from EU data subjects who ask to exercise their GDPR rights. Since SurveyMonkey is not the data controller of response data, we can't directly handle these requests for you, but we will help you to comply with such requests you might get from your respondents.

These articles can help you manage respondent data requests:

If you're unable to fulfill a respondent's GDPR related request using the information above, please contact us.

How SurveyMonkey complies with GDPR requests

If you're unable to exercise your GDPR rights as an EU citizen using the information above, or you want to exercise your right to be forgotten, please contact us. We respond to requests within 30 days. However, it may take longer to complete the request. We'll be sure to let you know these details over email.

If you're dissatisfied with how we managed your request, you can contact your local data protection supervisory authority from the ODPC Website. Our European entity is SurveyMonkey Europe UC, which operates in Ireland under the remit of the Irish Office of the Data Protection Commissioner.

유럽연합 개인정보 보호법(General Data Protection Regulation, GDPR)은 2018년 5월 25일에 발효되었습니다. 유럽연합 시민은 GDPR 권리를 행사할 자격이 있으며, SurveyMonkey는 고객이 응답자로부터 받을 수 있는 요청을 준수할 수 있도록 최선을 다해 도와드립니다.

답을 얻으세요