GDPR and Customer Feedback in B2B: What You Can Actually Collect [2026]
You do not need consent to run a satisfaction survey. You need the right legal basis, disciplined data minimisation, and feedback data you can actually export. Here is what GDPR and the EU Data Act require in practice.
- For satisfaction surveys to existing B2B customers, legitimate interest (GDPR Article 6(1)(f)) is almost always the correct legal basis, not consent. Consent is revocable, harder to document, and usually the wrong tool for a survey.
- The real compliance risk is not the survey invitation. It is the open-text answers where customers paste personal data, and verbatims that sit in a dashboard for years because no one owns deletion.
- Minimise what you collect, pseudonymise where you can, and set a retention limit before you send the first survey, not after a data subject request lands.
- Anonymous surveys feel safer but often destroy the value of B2B feedback. You cannot recover a detractor you cannot identify. Pseudonymisation plus minimisation beats anonymity.
- Since 12 September 2025, the EU Data Act makes feedback-data portability a legal question, not just a procurement one. If your CX vendor cannot export your raw data, that is now a liability.
You do not need consent to run a satisfaction survey. You need the right legal basis, disciplined data minimisation, and feedback data you can actually take with you. Here is what GDPR, and now the EU Data Act, require in practice.
Do you need consent to send a customer satisfaction survey under GDPR?
No. For an existing B2B customer relationship, a satisfaction survey almost always runs on legitimate interest under Article 6(1)(f) of the GDPR, not on consent. A survey is not direct marketing, you already have a relationship, and the person you are contacting reasonably expects to be asked about the service they bought.
Legitimate interest is not a free pass. It requires a documented, three-part legitimate interest assessment (LIA) before you send anything: name the interest (understanding and improving the service), show that the processing is necessary for it (could you get there with less data?), and balance it against the respondent's rights and reasonable expectations. For surveys to existing customers this balancing is usually easy to pass, but you have to write it down. Do it once, reuse it across your programme.
Consent under Article 6(1)(a) still has a place. Use it when you want to reuse feedback for something the customer would not expect, such as publishing a named public testimonial or feeding a response into a marketing sequence. Then get consent for that specific, separate purpose.
One Danish wrinkle worth calling out: the Danish Marketing Practices Act (markedsføringsloven) section 10 requires prior consent for electronic direct marketing. A genuine satisfaction survey is not marketing, so section 10 does not apply. But the moment your "survey" turns into a sales pitch or a nudge toward a review site, you are in section 10 territory and you need consent. Keep the two things separate, in intent and in wording.
Why consent is usually the wrong basis for feedback
Here is the part most privacy checklists get backwards. Consent feels like the safe, respectful default, so teams reach for it automatically. For an ongoing feedback programme, it is often the worst choice.
Consent under the GDPR must be freely given, specific, informed, and unambiguous, and it must be as easy to withdraw as it was to give. For a recurring relational NPS programme that is fragile: one withdrawal and you have to scrub that person from every future wave, prove you did, and hope your systems actually enforce it. A consent gate in front of the survey also quietly wrecks your numbers, because you lose respondents at the gate before they ever see a question, which is the last thing you want when you are already fighting for a decent survey response rate.
Legitimate interest, documented properly, is both more robust and more honest. You are asking existing customers about a service they pay for. Say that, base your processing on it, and reserve consent for the genuinely optional and the genuinely unexpected.
What data should a B2B feedback programme actually collect?
Data minimisation is Article 5(1)(c): personal data must be adequate, relevant, and limited to what is necessary for the purpose. In plain terms, collect enough to act, not everything you could capture. Every "nice to have" field is data you now have to secure, justify, and eventually delete.
| Data you collect | Why you need it | Retention |
|---|---|---|
| Account and contact identity | Close the loop, link feedback to account health | Working period, then anonymise |
| Role or segment | Drives analysis and prioritisation | Working period, then anonymise |
| Score (NPS, CSAT, or CES) | The measurement itself | Aggregate indefinitely, drop the identifier |
| Open-text verbatim | The "why" behind the score | 12 to 24 months, then redact or anonymise |
| Extra demographics you have no plan to use | None | Do not collect |
Then there is the trap almost everyone walks into: the open-text field. Customers paste whatever they want in there. A named colleague ("Anna in support was brilliant"), a direct phone number, sometimes health or financial context depending on your sector. You are now processing personal data you never asked for, occasionally special-category data. Two defences: tell respondents in the field label not to include sensitive personal details, and put your verbatims on a redaction or deletion schedule so they do not accumulate forever. This matters most in a Voice of Customer programme where verbatims are the whole point and the volume is high.
How long can you keep customer feedback under GDPR?
Storage limitation is Article 5(1)(e): keep personal data only as long as necessary for the stated purpose, then delete or anonymise it. For CX this means identifiable responses have a working life. You need them long enough to close the loop, track an account's trajectory, and see a trend. After that, aggregate the scores, anonymise the verbatims, and drop the identifiers.
Set the clock before you launch, not after a data subject access request forces the question. A common and defensible pattern: keep identifiable responses for a rolling 12 to 24 months for trend analysis and account tracking, then anonymise. Pick a number, document it in your LIA and privacy notice, and actually enforce it.
One caution that trips people up: pseudonymised data is still personal data. The European Data Protection Board reaffirmed this in its January 2025 guidance. Replacing names with a key reduces risk and is good practice, but it does not take the data out of scope. Pseudonymisation is a safeguard, not an exemption.
Anonymous, pseudonymous, or identified: which one for B2B?
This is where B2C privacy advice actively misleads B2B teams. In a mass consumer survey with 40,000 respondents, anonymity can make sense. In B2B, where you have 40 accounts that each matter, anonymity is usually a mistake.
| Approach | What it means | Best for | The B2B cost |
|---|---|---|---|
| Anonymous | No identifiers, cannot be re-linked | Employee or whistleblower feedback, large B2C | You cannot close the loop or tie feedback to an account |
| Pseudonymous | Identifiers replaced with a separately held key; still personal data | Analysts who should not see identities directly | Low risk, loop-closing still possible via the key holder |
| Identified | Response tied to the named contact and account | Most B2B relational and transactional programmes | Highest utility; demands minimisation and retention discipline |
You cannot recover an anonymous detractor. You cannot connect an anonymous score to renewal risk, to a customer health signal, or to the person who can actually fix the problem. The point of B2B feedback is to act on it by account, and anonymity removes exactly that. The privacy-preserving answer is not anonymity. It is identified collection with strict minimisation, a clear legal basis, and short retention, so you can close the loop without hoarding data.
Anonymity does have its place, just not here. Employee sentiment, eNPS-adjacent studies, and anything whistleblower-shaped need it. That is a different problem with a different answer.
What information do you owe respondents?
Transparency lives in Articles 13 and 14. At or before the point you collect data, you have to tell people who the controller is, the purpose, the legal basis (and if it is legitimate interest, what that interest is), how long you keep the data, their rights, and any processor involved. In practice this is a one-line privacy notice beneath the survey with a link to your full policy. Do not bury it and do not skip it. It is cheap insurance, and being upfront tends to improve trust and response rather than hurt it.
EU Data Act: your feedback data has to be portable now
Since 12 September 2025 the EU Data Act (Regulation 2023/2854) has applied across the EU. It targets exactly the lock-in that plagues cloud CX tools. Customers can switch data-processing services, including SaaS, IaaS, and PaaS, on two months' notice, switching charges are being phased out, and providers must support interoperability and structured data export. The core provisions applied from September 2025, with interoperability requirements and the full removal of switching fees phasing in through 2027.
The practical CX implication is blunt. When you choose or renew a feedback vendor, "can we get our raw responses out in a usable, structured format, on demand, without a penalty?" is now a compliance question, not a nice-to-have. Vendor lock-in on your own customers' feedback is a liability you can be asked to justify. Get the export commitment in writing before you sign.
How SurveyGauge handles this
We treat this as advisory work, not a settings page. For most clients we base relational and transactional programmes on legitimate interest, help write the LIA once so it covers the whole programme, keep collection minimal by default, and agree a retention period with you up front rather than leaving verbatims to pile up. And because the EU Data Act says your data is yours, we give you your raw responses in a structured export whenever you ask, no penalty and no lock-in. Platform and CX advisory in one subscription, so the compliance and the value questions get answered together instead of falling between two vendors.
For a hypothetical picture: when Nordika A/S moved from an anonymous annual survey to identified, minimised relational NPS with a documented legitimate interest basis and a 24-month retention rule, they did not just tighten compliance. They could finally act on named detractors and tie feedback to account renewals, which is the entire reason to collect it.
Want your feedback programme on solid legal footing without killing response or usefulness? SurveyGauge combines the platform and the CX advisory in one subscription, and your data is always yours to export. Book a free demo or see pricing.
Frequently Asked Questions
Ready to know what your customers actually think?
SurveyGauge helps Nordic B2B companies move from gut feeling to data-driven CX decisions.
SurveyGauge Team
Customer Experience Experts
SurveyGauge-teamet hjælper virksomheder med at måle og forbedre kundetilfredshed via professionelle surveys, analyser og rådgivning.
You might also be interested in
View all articlesHow to Measure Customer Satisfaction: Methods, Metrics and Best Practice [2026]
How do you measure customer satisfaction in practice? The methods, the three metrics, the right cadence, and the pitfalls that make measurement useless.
Voice of Customer (VoC): The Complete Guide to Your Program
VoC is not a survey programme. Instead, it is a system for continuously understanding what customers need, what frustrates them, and what drives them to stay. Here is how to build one that works.
How to Improve Your Survey Response Rate: A Data-Driven Guide for B2B Teams
An NPS based on 12 responses out of 2,000 customers is not a measurement. It is noise. Therefore, here is how to move from the low twenties into the forties, where the data starts to be trustworthy.
