SO's "GDPR Policy" states in part
we describe how we collect and use your data, and how we use technologies like cookies to understand how we can better help developers.
However, The Loop's first survey states that it is governed by Survey Monkey's privacy policy, with "Privacy Policy" linked to https://www.surveymonkey.com/mp/legal/privacy-basics/?ut_source=survey_pp.
There is no indication that SO's Privacy Policy applies. There is no indication that GDPR applies. This makes me wonder what policies are intended to apply to the data SO is collecting. In particular:
Is personal data provided via SurveyMonkey to Stack Overflow subject to Stack Overflow's Privacy Policy?
Is personal data provided by EU persons via SurveyMonkey to Stack Overflow protected by GDPR?
a. Is this data subject to the right of portability?
b. Is this data subject to the right to be forgotten?
c. How does the site use cookies?
SO's Privacy Policy states that gender and race are only collected during the Annual Developer Survey:
In order to provide meaningful insights into the developer community, Stack Overflow may collect sensitive data about you, including, but not limited to your gender, race, sexual orientation, immigration status, and your location.
However, the Privacy Policy does not state that sensitive information will be collected as part of The Loop. In fact, the only case in which gender or race are declared to be collected is as part of the Annual Developer Survey.
- Since SO's policy does not state that this data may be collected by The Loop, what is the justification for collecting this data, and have you sufficiently notified users such that their consent is knowing and unambiguous? Although the survey states "We will NOT associate your responses to this survey with your account information" that may not be enough to declare it GDPR-compliant. For example, if IP addresses are collected as part of the survey, then this might mean participants could be identified. Is SO asserting that data collected in the survey cannot be traced to the survey respondent in any way?
I think that if the Loop is intended to fall under SO's Policies, it needs to clearly and unambiguously notify users prior to collection of any data.
If SO asserts the survey is truly anonymous, then SO needs to notify users of that prior to collecting data as well.