Step 1: Choosing the right legal basis
Before you write even one survey question, you need to know which GDPR legal basis you're using for the processing. For commercial B2B customer surveys there are two realistic options: legitimate interest (article 6(1)(f)) or consent (article 6(1)(a)). The choice determines how you set up the rest of your survey.
When is legitimate interest sufficient?
Legitimate interest is the most commonly used basis for commercial customer satisfaction surveys. You can rely on it if you meet three conditions: you have a legitimate and concrete interest, the processing is necessary to achieve that interest, and the customer's privacy interests don't outweigh yours after a careful balancing test. In practice this means that as a B2B company you can send your customers an NPS or CSAT survey based on legitimate interest, as long as the purpose stays limited to improving your own services.
A concrete example: you process the email address and answers of an existing customer to measure your service quality. That customer could reasonably expect this, the processing is minimal and the purpose is clear. That passes the three-step test. Always document the balancing test in writing in a Legitimate Interest Assessment (LIA), because your data protection authority may ask for it.
When is consent required?
Consent is needed when legitimate interest isn't feasible: if you process special categories of personal data (such as health data), if you want to reuse the answers for other purposes, or if you approach people who aren't customers. Consent must be freely given, specific, informed and unambiguous. Use a clear checkbox in the invitation email and make sure the box is never pre-ticked.
Step 2: Drafting privacy information for your customers
Once you've determined the legal basis, you translate it into understandable information for your customers. This isn't a legal appendix nobody reads, but a short, clear text that accompanies every invitation. The GDPR obliges you to actively inform data subjects, and that also applies to customer satisfaction surveys.
Your privacy statement or participant information must contain at least the following elements:
- Name and contact details of the data controller
- Purpose of the survey and the legal basis
- Which personal data is processed
- Recipients of the data, such as the survey tool or a research agency
- Retention period or the criteria used to determine it
- Rights of data subjects: access, objection and erasure, and how to exercise them
- Whether participation is voluntary
- Contact details of the data protection officer (DPO), if appointed
- Whether automated decision-making or profiling takes place, and if so: which logic is used
Ready to start measuring feedback?
Start free and have your first survey live within 5 minutes. No credit card required.
How do you communicate this in the invitation email?
You don't need to include the full privacy statement in the invitation email. Refer in the email to a separate privacy page and mention at least the purpose of the survey, the retention period and a contact person for questions. Write in plain language and avoid GDPR jargon towards the recipient. 'We process your data based on article 6(1)(f)' means nothing to anyone; 'We keep your answers for a maximum of 12 months to improve our service' is much clearer.
Step 3: Choosing a GDPR-compliant tool and recording processing agreements
Tools that send data to servers in the US by default without an appropriate legal basis violate the GDPR.
The choice of your survey tool is a GDPR decision. Every tool that processes personal data on your behalf is a processor within the meaning of the GDPR. As the data controller you are obliged to conclude a data processing agreement, and you cannot skip it.
Pay attention to these points when choosing a survey platform:
- Data storage within the European Economic Area
- A clear transfer mechanism for any sub-processors outside the EEA (standard contractual clauses)
- Technical security measures such as encryption and access restriction
- The ability to delete or export data when the service ends
Data processing agreement: the essential components
Under article 28 GDPR, the data processing agreement must regulate at least the following:
- Subject matter, duration and purpose of the processing
- The instruction that the processor only acts on your written instructions
- Confidentiality obligation for the processor's staff
- Concrete security measures
- Rules for sub-processors, including the written consent requirement
- Notification duty in case of data breaches
- Return or deletion of data after the service ends
Feedback Analytics: GDPR-ready for European B2B teams
Feedback Analytics is designed for European B2B teams and provides a data processing agreement that meets the requirements of article 28 GDPR. Data is stored within the EU and sub-processors are arranged in a GDPR-compliant way. The setup, including all privacy safeguards, is completed in minutes, even without a technical background. The platform also supports sending from your own domain via SPF/DKIM, so the email delivery of your invitations is professional and consistent.
Step 4: Technical measures: security, minimisation and retention
Besides the contractual side, there are technical measures the GDPR requires from you as the data controller. These are not optional improvements; they are basic requirements under article 32 GDPR. The law doesn't prescribe specific tools, but does demand appropriate measures matched to the risk of your processing.
Data minimisation and pseudonymisation in practice
Ask in your survey only what you really need for the research purpose. You need name and email address for follow-up, but not for analysing answers. Use pseudonymisation by linking responses to an internal respondent ID instead of directly to customer data. Pseudonymised data remains subject to the GDPR as long as it can be traced back to a person, but it considerably lowers the risk in case of a data breach.
As soon as follow-up is no longer needed, anonymise the data. After anonymisation it falls outside the GDPR's scope. Also disable IP address logging if your tool records it by default and you don't need the IP address.
Setting and observing retention periods
There is no fixed legal retention period for customer satisfaction data; you set it yourself based on your purpose. A common approach for B2B teams is deleting raw answers after 12 to 24 months and keeping anonymised trend data longer for benchmarking. This is a practical example, not a legal standard; substantiate your chosen period in your LIA and processing register.
Document the period in your processing register and set up automatic deletion or a reminder notification via your tool or CRM. Without a documented period you run a risk during an audit by your data protection authority.
Step 5: When is a DPIA mandatory for your customer survey?
For most standard B2B customer satisfaction surveys a DPIA (Data Protection Impact Assessment) is not mandatory. In specific cases, however, a DPIA is indeed required, and failing to carry it out is a serious compliance risk that can lead to fines or enforcement.
The criteria that trigger a DPIA
A DPIA is mandatory if the processing is likely to result in a high risk for data subjects. The European privacy supervisors (EDPB) have established nine risk criteria in their guidelines, including large-scale processing, processing of special categories of personal data such as health data, systematic monitoring or profiling, and processing data about vulnerable groups. If your processing meets two or more of these criteria, a DPIA is generally mandatory.
The practical rule of thumb for B2B: a regular NPS or CSAT survey among existing business customers normally doesn't trigger a DPIA.
What a valid DPIA must contain
If a DPIA is needed, it must contain at least four elements: a description of the processing (which data, which method, which purpose), a substantiation of necessity and proportionality, a risk assessment for data subjects, and the measures you take to limit those risks. If the risks remain high despite your measures, prior consultation with your data protection authority is mandatory before you start the processing.
Practical checklist: start GDPR-compliant
You now have the five building blocks for a GDPR-compliant customer survey. Here they are in the order to follow:
- Determine the legal basis and document the balancing test in writing in an LIA if you choose legitimate interest.
- Draft privacy information and include it in your invitation email, with a link to your full privacy statement.
- Choose a GDPR-compliant tool with EU data storage and conclude a data processing agreement that meets article 28 GDPR.
- Apply technical measures: minimise the data you collect, apply pseudonymisation and set retention periods with automatic deletion.
- Assess whether a DPIA is needed and document your conclusion, even if it is that a DPIA isn't mandatory.
From compliance worry to first measurement
If you want to start right away without building the compliance yourself, choose a platform that includes all these requirements by default. Feedback Analytics combines survey building, smart question logic, automated follow-up flows and real-time analyses in one GDPR-compliant platform, including a data processing agreement and EU data storage.
That's how you answer the question of how to run a GDPR-compliant customer satisfaction survey not just in theory, but also in practice. With the five steps from this article you set up your first GDPR-compliant customer survey without months of legal consultation.