Privacy and Data Protection in Online Surveys
Data protection in the context of online surveys and online research has different facets. Legal regulations, professional and ethical codes must be observed, but protecting your data properly goes farther. SoSci Survey supports you in protecting your own interests, collecting data in compliance with the law and protecting the privacy of your respondents.
No Disclosure and Use of Your Data
SoSci Survey does not claim your questionnaires or the data you collect. This data is not passed on to third parties, is not used to train AI models, SoSci Survey does not analyze the collected data for its own purposes and does not pass it on to third parties in aggregated form.
We only reserve the right to evaluate metadata (e.g. processing times in the questionnaire, usage of different question types) in order to better adapt the functionality of SoSci Survey to practical needs: For example, in 2024, around one in four interviews across all studies was conduced on a mobile device.
Allowing for Anonymity
Participants are often guaranteed anonymity, both in employee surveys and in many scientific studies. SoSci Survey does offer the option of collecting contact details or IP addresses. In the default setting, however, no data is collected that can be used to identify a participant (privacy by default).
By avoiding IP addresses in server log files and abstaining from with cookies, your respondents can actually enjoy the anonymity that you assure them.
Protection of Personal Data
If you do not work with anonymous data, you handle personal data. That is subject to the special protection of the GDPR and other legal regulations.
SoSci Survey supports you with options for pseudonymization (something for multi-wave surveys) and a differentiated control of which persons in a joint survey project have access to which program functions. Our cloud service also provides all the other necessary modules for fulfilling your obligations under the GDPR, which are presented in detail below.
Please note that only the pro server s2survey.net allows the processing of personal data. Only contact data may be processed on the standard server www.soscisurvey.de (details).
Protection Against Unauthorized Access
The technical aspect must ensure that data does not fall into the wrong hands or get lost due to carelessness or technical defects. Among other things, SoSci Survey uses the following technical measures to protect against unauthorized access:
- Continuous SSL encryption (HTTPS) protects the data both when filling in the questionnaire and when retrieving the collected data. A secure SSL configuration (Qualys SSL Labs) ensures that the transmission of data is actually secure. A highly compatible configuration and established certification bodies ensure that even users of older browsers can access the questionnaire correctly. For particularly high demands, our pro server s2survey. net offers an SSL certificate with Extended Validation (EV), which most browsers signal with a green address line.
- A web server requires a number of software products. We provide the actual survey software "SoSci Survey" with proven components - from the operating system (Ubuntu Linux) to the server application (nginx) to the database (MySQL) and the encryption of backup copies (GPG). Security updates for these software packages are updated several times a day.
- The server is located in the certified and secured data center of the provider M-net Telekommunikations GmbH. The server is administered via the proven SSH encryption, which is additionally protected against hacker attacks.
Protection against Technical Failures
Technical defects can never be completely excluded. But the risks and possible consequences can be greatly limited by a number of measures:
- The technical operation of the survey server is carried out by the PartnerGate GmbH, member of the InterNetWire group, and is therefore always up to date.
- The use of virtual machines and current storage technologies allows a certain independence between technical components and the actual operation. Technical defects have no or only short-term effects.
- Encrypted daily backup of questionnaires and collected data protects against data loss due to human mistake and software errors.
Software Functionality
Survey projects are very different and it always depends on the individual case what data protection means. Should participation in a study be anonymous or are specifically selected customers being surveyed? Is personal data collected in the questionnaire? Is it necessary to ensure that participants complete the questionnaire only once? Are e-mail addresses or telephone numbers transmitted to send invitation e-mails or SMS?
SoSci Survey offers numerous features to provide optimal data protection for every purpose. The serial mail function, for example, allows tracking whether an addressee has edited the questionnaire (e. g. for a reminder mail/review action) and at the same time ensures that the collected data remains anonymous. Concrete recommendations and explanations can be found in the instructions for SoSci Survey in the chapter on data protection in online surveys.
State protection
The SoSci Survey GmbH has its headquarters in Munich (Germany), as well as the computer centre, which houses the survey servers www.soscisurvey.de and s2survey. net.
In an international comparison, Germany offers a very high level of data protection - both with regard to the obligations of companies as well as with regard to governmental/agency access and interference.
In addition, the location makes it much easier for German and European companies to collect and process personal data in a legally compliant manner.
Contractual regulations
Our General Terms and Conditions (GTC) explicitly state that your data belong to you exclusively. If you collect personal data in your online survey (Personal Data), it is necessary to conclude a Data Processing Agreement (DPA) in accordance with European Privacy laws (GDPR). You can check the DPA template and relevant documents online, and prepare a DPA for signature online (DPA with SoSci Survey). Please note that personal data my only be collected and processed on the pro server (Pro Server s2survey.net). Based on experience, we keep encrypted backups for the server www.soscisurvey.de for a period of 12 months, which is usually not compatible with the GDPR requirements for data deletion.
In the case of employee surveys, we recommend that the works council and the data protection officer be consulted at an early stage. In order for an employee survey to be successful, it requires the support of employees and any concerns must be clarified before the survey can even become an issue in the company. We are happy to help clarify the situation - be it through open and detailed information or in a personal conversation.
Browsing the Website, Creating and Answering Online Surveys
Information on data protection when using the www.soscisurvey.de website can be found in Data Protection Information.