Articles

Data Protection & GDPR

What is Personal Data in Survey Research?

Explains what personal data is in surveys under GDPR and how to handle it securely.

By Rasmus Skaarup, Contract Manager Enalyzer
By Rasmus Skaarup, Contract Manager Enalyzer
20 April 2026
———
4 minute read
Illustration of survey data and personal information—such as name, email, and phone number.

In this article

Ready to elevate the quality of your surveys?

Enalyzer brings together platform and expertise, enabling you to develop surveys with a solid methodological foundation and data you can apply directly in your decision-making.

Get started -->

Introduction

When you conduct a survey, you often collect information about people. In many cases, this information will be personal data, which is regulated by GDPR. It is therefore important to understand when survey data falls into this category.

Definition of Personal Data

According to GDPR Article 4(1), personal data is defined as:

“Any information relating to an identified or identifiable natural person.”

A person is considered identifiable if they can be identified directly or indirectly, for example through:

  • Name
  • Email address
  • Phone number
  • Employee number
  • IP address
  • Location data
  • A combination of several pieces of information

Even if a survey does not contain names or email addresses, responses may still be personal data if they can be linked to a specific individual.

Examples of Personal Data in Surveys

In practice, many types of survey data may qualify as personal data.

Directly Identifying Information

Information that directly identifies a person, for example:

  • Name
  • Email address
  • Phone number
  • Employee ID
  • Customer ID

If this information is collected in a survey, the data will always be considered personal data.

Indirectly Identifying Information

Information that does not identify a person on its own, but may do so when combined with other data:

  • Age
  • Position or job title
  • Department
  • Geographic location
  • Responses to open-ended text fields

If an organization can combine this information to identify an individual, it is also considered personal data.

Text Responses and Comments

Open text fields may also contain personal data. Respondents may, for example, write:

  • Names of colleagues or managers
  • Personal experiences or incidents
  • Identifying details about their workplace

Organizations should therefore pay close attention to how open responses are handled and stored.

Sensitive Personal Data in Surveys

GDPR distinguishes between personal data and special categories of personal data, often referred to as sensitive data.

These include information about:

  • Health
  • Trade union membership
  • Political opinions
  • Religious beliefs
  • Sexual orientation
  • Ethnic origin

If a survey collects this type of information, stricter requirements apply to how the data is processed and protected.

When Is Survey Data Not Personal Data?

Survey data is not considered personal data if it is fully anonymized.

This means that:

  • No individuals can be identified
  • No information can be linked to specific individuals
  • It is not possible to reconstruct identities, even indirectly

It is important to distinguish between anonymization and pseudonymization:

  • Anonymized data cannot be traced back to a person
  • Pseudonymized data can still be linked to a person through a key or additional information

Pseudonymized data is therefore still considered personal data under GDPR.

Why Is This Important in Surveys?

If survey data contains personal data, the organization must comply with GDPR. This includes, among other things:

  • Having a legal basis for processing
  • Ensuring data security and access control
  • Informing respondents about how their data will be processed
  • Entering into a Data Processing Agreement (DPA) with providers of survey tools
  • Limiting data storage to what is necessary

In this context, the organization acts as the data controller, while the provider of the survey platform typically acts as the data processor.

Best Practices for Handling Personal Data

When working with surveys, the following practices are important:

  • Only collect the information that is necessary
  • Consider whether the survey can be conducted anonymously
  • Limit access to survey data
  • Use secure survey tools with strong data security
  • Document how personal data is processed

A well-considered approach to data security and GDPR compliance strengthens trust, data quality, and compliance. With a strong DPA like Enalyzer’s, plus access to expert support and consulting, you can manage this securely and confidently with us.

Sources

  • European Parliament and Council. General Data Protection Regulation (GDPR), Article 4(1) – definition of personal data.
  • European Data Protection Board (EDPB). Guidelines on personal data and identifiability.
  • Danish Data Protection Authority (Datatilsynet). What is personal data?
  • Enalyzer Trust Center. Data security and GDPR compliance in survey platforms.

Learn how to collect survey data in a GDPR-compliant way →

Recommended articles

Based on this article, we’ve selected a few related reads you might find relevant.
No articles in this category.
View all

Start your journey with Enalyzer today.

We'll match you with the right expert.

Start now —>