General Data Protection Regulation

General Information

The General Data Protection Regulation is a new set of privacy regulations and guidelines that replaces the Data Protection Directive 95/46/EC and effective May 25, 2018.


The General Data Protection Regulation (GDPR) will require numerous changes to organizations in the way they collect and process EU personal data.

The GDPR contains a number of new protections for EU citizens and threatens significant penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Issues that are attracting particular focus include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.

Qualtrics offers self-service products via an Application Service Provider model delivered via the Internet and using standard web browser software. Customers solely determine what data to collect, from whom and where, for what purpose, and for how long. Therefore, Qualtrics does not and cannot classify or represent any Customer data. All data are processed electronically on the instructions of the Customer as required to provide the software, support, and maintenance.

Since the Customer has full control over its data, it may have special obligations to protect the data outside the scope of the protection Qualtrics provides (for instance, if data were downloaded to the user’s local drive or printed). Qualtrics has always agreed to safeguard all Customer data with industry best standards regardless of what that data represents.

Enabling the Customer to be GDPR Compliant

Qualtrics enables its Customers to be GDPR compliant. Briefly stated, that means Qualtrics will:

  • provide sufficient guarantees to the controller to implement appropriate technical and organizational measures designed to safeguard Customer data
  • process data (that could include personal data) only to fulfil its obligations as related to the Services
  • enable users to modify and delete individual data points
  • enable users to modify and delete complete survey responses
  • enable users to modify and delete the entire project (responses and survey definitions)
  • provide security documentation that describes the processes and procedures for safeguarding the data
  • sign a contract that governs the processing of EU personal data

GDPR Contract

GDPR Article 28, Section 3, requires that a contract be in place between a data controller and a data processor. For years, the Qualtrics Terms of Service and Master Services Agreement have provided the fundamental legal requirements and obligations regarding data ownership, processing behavior, safeguarding data, breach notification, and more.

However, if a Qualtrics Customer desires to have a GDPR-specific contract, it may be electronically signed here with the password

GDPR Contract
This Contract appends the terms of an existing Agreement to satisfy the requirement of the GDPR Article 28, Section 3, that governs the processing of EU personal data. Once reviewed and signed, please send to

More Information

General information and FAQ regarding GDPR compliance is found at this link:

Technical details for customers on GDPR compliance:

Privacy statement:

Security statement:

Key Principles of GDPR and Responsible Parties

Both Qualtrics and its Customers (controllers) are separately and jointly liable for actions or inactions that do not comply with GDPR. Thus, the GDPR requires a shared responsibility to protect an individual’s right to privacy. The table below summaries these responsibilities and is included for clarification only.

Legend: Q = Qualtrics’ responsibility; C = Customer’s responsibility; S = Shared responsibility

Breach Notification Standards S
Data security and processing standards Q
Individual “unambiguous” explicit consent before data collected C
Individual withdraws consent; requests data deletion C
Parental consent to collect info on children C
Only transfer data to a country with adequate protection Q
Cross-border transfer of PII C
Post public privacy notice S
Follow requests from a DPA S
Allow right to data modification and to be forgotten* C
Provide data portability S
Rights of notice, access, and objection C
Clarifying role of controller and processor S
Data breach notification S
Collect data only for “specific, explicit and legitimate purposes” C

Note: this is not an exhaustive list

* Qualtrics enables the Customer to perform these functions. When a data controller cannot perform these functions due to insolvency or upon government request, Qualtrics will perform.