auntie rgpd

When Auntie Launches a Survey… and Forgets the GDPR

Bygiuliagovernatori

Launching a “little survey” without respecting the GDPR can be very expensive: even an amateur  risks fines of several million euros. 

Imagine Aunt Lucette. Charming, full of energy, a bit curious… and slightly cavalier with the law.  One fine morning, she decides to launch a survey on social media. “It’s just for fun!”, she says. She  creates a form, asks questions about health, political opinions, romantic preferences, collects first  and last names, emails, and does it all without informing anyone. Result: 1,000 responses in 24  hours. She’s thrilled. Then she posts everything on Facebook. And that’s when disaster strikes. 

Because Auntie has just, without knowing it, violated several articles of the GDPR. And this isn’t a  mere administrative detail: it’s a minefield. 

What the GDPR Says (and Requires) 

The GDPR – General Data Protection Regulation – isn’t there to decorate forms. It governs all  collection and processing of personal data. Even small family surveys are covered as soon as a  response can be linked to an identifiable person. 

Here are the basic rules Auntie should have followed: 

• Provide clear information: everyone surveyed must know who is collecting the data, why,  for how long, how, and with whom the data will be shared. 

• Obtain freely given, informed consent: a tiny “I agree” button isn’t enough. The  participant must understand what they’re agreeing to, without being tricked by dark patterns. 

• Collect only what’s necessary: asking 25 questions when 3 would do? No. That violates the  principle of data minimization. 

• Ensure data security: forget unprotected Excel files on an old kitchen computer. The  GDPR requires serious technical measures (encryption, access control, etc.). 

• Respect individuals’ rights: every participant must be able to access their data, correct it,  request its deletion, or object to its processing. 

• Be extremely careful with sensitive data: religion, health, sexual orientation, political  opinions… these are ultra-protected categories. Collecting them without a solid legal basis is  prohibited. 

• Define a clear retention period: data can’t be stored “just in case”. They must be deleted  once the purpose has been achieved. 

And If You Don’t Comply? 

Well, Auntie risks a lot. Here are the main consequences of an improvised survey that ignores the  rules: 

• A data breach: imagine her file gets hacked. A thousand people exposed without their  knowledge. It’s a nightmare for them, and a legal risk for her.

• Heavy sanctions: the CNIL (in France) can impose fines of up to 20 million euros or 4% of  global turnover. Sure, Auntie doesn’t run a multinational, but even a private individual can  be condemned. 

• Complaints or even lawsuits: participants can seek compensation for invasion of privacy. 

• A ruined reputation: whether it’s an association, a town hall, or a company, leaking or  mishandling personal data leaves a mark. 

Data Professionals Know What They’re Doing 

This kind of mishap doesn’t happen to professionals (or at least, rarely). Analysts, data scientists,  DPOs… everyone who works with data has been trained on these issues. They know: 

• how to anonymize or pseudonymize responses, 

• how to draft clear information notices, 

• how to choose a GDPR-compliant survey platform, 

• how to document the consents obtained. 

In short, they’re reliable people who respect the law, protect participants, and take personal data  seriously. You’ve been warned… 

And If Your Data Was Exposed? 

If you filled out a shady survey or feel that one of your old forms is circulating without your  consent, here’s what you can do: 

• Request deletion of your data (right to be forgotten – Article 17 of the GDPR): just  write to the person responsible for the survey: “I request the deletion of all my personal  data.” They have one month to respond. 

• Revoke your consent: if you agreed but changed your mind, you have the right to go back.  Processing must stop. 

• Report it to the CNIL: if the survey’s author doesn’t respond or refuses to delete your data,  you can file an official complaint with the CNIL (https://www.cnil.fr/plaintes). 

• Be vigilant: if sensitive data was published, change your passwords, monitor your accounts,  and stay alert to any suspicious behavior. 

In Conclusion 

A poorly designed survey may seem harmless, but it exposes everyone to real dangers: loss of  privacy, hacking, legal sanctions. The solution? Either you train yourself seriously in data  management, or you entrust the task to a professional. Because when it comes to personal data,  amateurism is not an option. 

And remember: you always have the right to ask for your data to be erased. And if you’re refused,  the CNIL is there to defend you.