SurveyMonkey Embeds and Data Protection – What Belongs in the Privacy Policy

Website operators frequently embed SurveyMonkey surveys directly into their website by means of iFrame or JavaScript widget in order to collect user feedback. In doing so, personal data of the survey participants is transferred to SurveyMonkey servers – in particular IP address, location data, browser information and the survey answers themselves. The inclusion of appropriate data protection notices in the privacy policy is legally required and should transparently inform about the processing, the provider and the data subject rights.

A. Purpose and Function of SurveyMonkey Embeds

SurveyMonkey is a cloud-based survey and form management platform of Momentive Global Inc. (USA) with European branch SurveyMonkey Europe UC in Dublin, Ireland. The Embed function enables website operators to integrate surveys directly into their website – without users having to leave the website.

The integration typically takes place in two ways:

1. iFrame embedding: The website operator embeds an iFrame code that points to a SurveyMonkey server. The browser thereby loads content directly from the SurveyMonkey servers.
2. JavaScript widget: A minimalistic JavaScript script is embedded in the website that displays the survey as an interactive element.

With both methods, the user's browser automatically establishes a connection to SurveyMonkey servers – regardless of whether the user actually fills in the survey. It is during this connection that personal data such as the IP address is transferred.

Note: The extensive SurveyMonkey platform with login, dashboard and survey creation is not dealt with here. Focus is on the embed integration for website visitors.

B. Mandatory Disclosures in the Privacy Policy

Under the EU General Data Protection Regulation (GDPR), website operators must transparently disclose in their privacy policy which personal data is processed by embedded third-party tools and under which conditions (Art. 13, 14 GDPR). This also concerns technical components such as JavaScript codes and iFrames that automatically transfer personal data.

The privacy policy should cover the following content:

• Identity of the provider: Name, address, contact details
• Type and scope of data processing: Which data types are captured?
• Purposes of processing: For which purposes does the provider use the data?
• Legal basis: On the basis of which legal basis does the processing take place?
• Data categories and retention period: How long is data kept?
• Data subject rights: How can users exercise their rights?
• Third-country transfer: If data is transferred to the USA, which protection mechanisms apply?

Criticism of generic text templates: Many online generators offer blanket text templates that do not reflect the specific configuration of one's own survey. If, for example, the survey does not collect an e-mail address but the text template lists this, the privacy policy is content-wise wrong and contradictory. A tailor-made adaptation is necessary.

C. Provider

Primary provider:

• Name: SurveyMonkey Inc. (known as Momentive Global Inc.)
• European branch: SurveyMonkey Europe UC
• Address: 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland
• Privacy Notice: https://www.surveymonkey.com/mp/legal/privacy/
• Privacy Policy (German): https://de.surveymonkey.com/mp/legal/privacy/

Parent company and data processing:

• Momentive Global Inc. (USA) acts as parent group and is responsible for global data processing
• SurveyMonkey Inc. is self-certified under the EU-U.S. Data Privacy Framework (DPF) for data transfers to the USA
• The DPF status can be viewed at https://www.dataprivacyframework.gov/s/participant-search

Legal status: SurveyMonkey acts as processor for survey data collected by website operators. At the same time, SurveyMonkey also processes personal data as an independent controller for its own business purposes (product improvement, security, analytics). This dual role should be differentiated in the privacy policy.

D. Data Processing – Workflow

E. Data Collected

SurveyMonkey collects several categories of personal data when an embed is loaded. The exact scope depends on the technical configuration. The following data types are typically processed:

• Web server log data: IP address of the requesting device, exact timestamps of the access, HTTP referrer (from which page does the access come?)
• Device data: Device type (desktop, tablet, smartphone), operating system and its version
• Browser information: Browser type, browser version, installed plug-ins
• Rough location data: Geographical location (at country/region level), derived from IP address
• User content: All answers given in the survey – these may be personal data, depending on the survey design (e.g. if name, e-mail or sensitive categories are queried)
• User account data: If the user is logged in to SurveyMonkey, account information is also linked to the answer

Important: The website operator itself determines through the survey design which sensitive data is collected. SurveyMonkey provides the technical infrastructure but bears co-responsibility for compliance with data protection principles.

F. Purposes of Use

The data is processed by SurveyMonkey for the following purposes:

• Function provision: Display and execution of the embedded survey in the user's browser; technical processing of user input
• Communication with the website operator: Transmission of the survey results to the customer dashboard; reporting and analysis of the answers
• General product improvement: Use of anonymised or aggregated data to improve the SurveyMonkey service, to optimise the embed functionality and to identify errors
• Security and abuse prevention: Monitoring for suspicious activities, multiple answers from the same IP address (ballot stuffing), authentication
• Legal obligations: Compliance with laws, authority requests, enforcement of terms of use

The use for analysis purposes (point 3) takes place under SurveyMonkey's independent responsibility and is not part of the processing on behalf for the website operator.

G. Legal Bases

The legal bases for the data processing are to be considered in a differentiated manner:

On automatic loading of the embed (IP address, browser data):

• For the pure function provision of the widget, it can be argued that legitimate interest pursuant to Art. 6(1)(f) GDPR exists (website operator has interest in user feedback)
• However, if the embed queries external servers without user consent (which is typically the case), § 25 TDDDG (Telemedia Act) and ePrivacy Directive apply: consent required for setting cookies or processing terminal accesses

For survey answers (content):

• If the user fills in the survey voluntarily: consent of the survey participant (Art. 6(1)(a) GDPR)
• If the survey is required as part of a contract: contract performance (Art. 6(1)(b) GDPR)
• Own use by SurveyMonkey (product improvement): legitimate interest (Art. 6(1)(f) GDPR)

Third-country transfer (USA):

• SurveyMonkey Inc. is certified under the Data Privacy Framework
• Additionally, Standard Contractual Clauses apply for transfers to the USA
• A DPA (Data Processing Agreement) with SCCs is available with premium plans

H. Special Features and Notes

1. Sensitive data types in surveys: Depending on the survey design, survey answers may contain sensitive data (health, political beliefs, trade union membership, etc.). In such cases Art. 9 GDPR applies (processing of special categories). Consent is then mandatory.

2. Role of the website operator: The website operator is itself controller (Art. 4(7) GDPR) for the decision to embed SurveyMonkey. It must therefore itself check whether the legal requirements are met.

3. Consent vs. legitimate interest: The automatic loading of the embed on page access is typically not justified by legitimate interest, but requires consent (§ 25 TDDDG). The website operator should obtain consent before loading the embed – for example through a cookie banner or consent management (CMP).

4. Data Processing Agreement (DPA): SurveyMonkey offers a Data Processing Agreement. This is available at https://www.surveymonkey.com/mp/legal/data-processing-agreement/. A DPA should be concluded by the website operator in order to safeguard the processing on behalf in a documented manner.

5. Third-country transfer and DPF: Most European customer data is stored on servers in the USA. SurveyMonkey is certified under the EU-U.S. Data Privacy Framework (DPF), which guarantees an adequate protection. However, this should be mentioned in the privacy policy.

6. Opt-out and user control: With iFrame embedding, it is difficult to offer users a real opt-out. Technically, one could only load the embed after consent, which impairs user-friendliness. This tension should be transparently disclosed.

7. Retention period: IP addresses: max. 13 months Survey answers: depending on customer configuration, typically until deletion by the customer Account data: as long as the customer account is active

I. Frequently Asked Questions on SurveyMonkey Embeds and Data Protection

J. Conclusion

SurveyMonkey embeds are a functional feedback tool, but – like all third-party integrations – bring data protection responsibilities. Website operators must transparently disclose that personal data is transferred to a US-based provider when using the embed.

The privacy policy should not only exist, but be tailor-made: A generic text template that does not reflect the specific data collection of one's own survey is not sufficient and can lead to reprimands in the event of authority checks or data protection complaints.

A written Data Processing Agreement with SurveyMonkey is essential. SurveyMonkey provides a standard DPA with Standard Contractual Clauses, which secures the legality of the data transfer to the USA.

In summary: Consent before loading the embed, conclude DPA, adapt privacy policy, enable data subject rights – these four steps are the basis for data-protection-compliant embedding.