Data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data. Such information must be provided in a concise, transparent, intelligible, using clear and plain language.
Article 13 of the GDPR is particularly helpful in understanding what information should be included in the privacy notice of a survey. Recitals: 60, 61, 62 can help with interpreting.
We suggest using a header for each of the points covered in article 13:
- Contact details
- Purposes and legal basis of the processing
- Categories of data being processed
- Recipients of the personal data
- Data retention
- Rights of the respondent (See Art. 13.2 and Recital 63 GDPR)
- Access, rectification, erasure, portability, revocation, complaint
- Existence of automated decision-making, including profiling
These are just suggestions and a starting off point. This list is not meant to be complete. You should seek independent legal advice for the actual privacy notice you will show to respondents, as only a lawyer can provide you with legal advice specifically tailored to your situation.