Personal data and informed consent
AudienceNet takes the privacy of all individuals very seriously. As a Market Research Society Company Partner we adhere to a strict code of conduct, set out by the Market Research Society (MRS) and as such, the collection, use and storage of personal data is in strict accordance with the General Data Protection Regulation (GDPR).
The MRS Code of Conduct, 2019, ensures that, at all times, we fully respect and maintain the privacy of all individuals electing to participate in research conducted by AudienceNet or who otherwise elect to be involved with AudienceNet in any other capacity. This means that we will never record, store, nor pass on to third parties, any personal or personally identifiable data, relating to an individual, without their express permission to do so, (i.e. with their informed consent).In the case of researching children, only those aged 15 or above are able to provide their own consent, therefore for any child aged 14 years and under, parental consent is always obtained.
AudienceNet selects personal data processing suppliers based on their capacity to comply with our data protection requirements. In the lead up to the implementation of GDPR, we conducted due diligence with all suppliers ensuring that their practices are GDPR compliant. As part of our on-going processes, all suppliers are required to sign an agreement adhering to GDPR regulations in terms of data protection and the transfer of EU citizens’ personal data. More specifically, suppliers cannot transfer any personal data outside the EEA unless they agree to appropriate safeguards and obtain customer consent. Additionally, our suppliers cannot subcontract part of the personal data processing services to sub-processors without our prior approval.
Why do we collect personal data?
AudienceNet conducts social and consumer research. The data we provide to our customers is always aggregated across a wide number of research participants and is never presented in a way that identifies participants at an individual level. At times, however, AudienceNet does ask individuals to provide personal data, purely for lawful processing reasons.
Our lawful bases for processing personal data:
• Where it is necessary for our legitimate business interests
• Where we need to perform our duties under a contract
• Where we need to comply with a legal obligation
• Where we have gained informed consent
• Where we are carrying out the performance of a task in the interest of public interest or in the exercise of an official authority
For example, for sending feedback of survey results, for sending agreed incentives or rewards to individual survey participants and for managing the appropriate frequency with which a given respondent is invited to take part in our surveys. We also use personal information to enable us to invite people to participate in research that is appropriate to them thus matching contact details with specific criteria, such as: demographic information, lifestyle and consumption patterns.
We also collect necessary employee and candidate data. The access to employees’ personal data is strictly limited to the relevant staff in charge of human resources management.
Data Protection Principles
AudienceNet is considered the Joint Data Controller with our clients. AudienceNet processes personal data in accordance with the following data protection principles set out by the GDPR:
• We process personal data lawfully, fairly and in a transparent manner;
• We collect personal data only for specified, explicit and legitimate purposes;
• We process personal data only where it is adequate, relevant and limited to what is necessary for the purposes of the processing;
• We keep accurate personal data and take all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay;
• We retain personal data only for the period necessary for the processing;
• We adopt appropriate measures to make sure that personal data is secure and is protected against unauthorised or unlawful processing and from accidental loss, destruction or damage.
Special Category data: We keep private information private!
The type of personal information that AudienceNet collects and stores on individuals electing to participate in research includes aspects such as: name; age; date of birth; residential area; household composition; marital status; household income; ethnicity; religion; political beliefs and educational attainment. AudienceNet uses pseudonymisation or anonymisation techniques to protect respondents’ personal data so that access is restricted to fieldwork teams on a need to know basis. In addition, any data containing personally identifiable sensitive information, i.e. special category data (ethnicity, race, political opinions, religious or philosophical beliefs, health data, data concerning individuals’ sex life and sexual orientation), is stored securely (e.g. password protected and/or encrypted).
Where do we access and store personal data?
AudienceNet’s head office is located at 71 Leonard Street, London, EC2A 4QS, U.K., however, occasionally personal data may be accessed and analysed in other locations, such as from our offices in Melbourne, Australia and Washington D.C., U.S.A. Our teams in all locations strictly adhere to AudienceNet’s overarching GDPR practices.
Retention policy: How long do we keep personal data?
AudienceNet retains participant personal data for a maximum term of 1 year. After this time, all personal identifiers will be removed (i.e. deleted) from the data source unless the participant has given their expressed permission for their personal data to be retained for a longer period in connection with a more longitudinal project.
We will delete all HR-related personal data (or return to an employee if requested) at the end of an employee’s contract.
Personal data breaches
Any notifiable breach in AudienceNet’s protection of personal information will be communicated with all individuals potentially affected within a maximum of 72 hours and will be reported to the Information Commissioner’s Office (Tel: 03031231113) and the Market Research Society within a maximum of 72 hours. All efforts will be made to rectify breaches of personal information with immediate effect. We will record all data breaches regardless of their effect.
AudienceNet implemented an employee training programme in 2018 to ensure a high level of data protection awareness and adherence and will ensure new starters are aware of data protection regulations and processes.
Data Protection Officer (DPO)
The protection of personal data is a priority for all of us here at AudienceNet. Having conducted due diligence, it is our belief that we do not need to appoint an independent Data Protection Officer (DPO). We have sufficient (existing) resources, processes and training practices in place to monitor our GDPR compliance.
Furthermore, AudienceNet does not fall under the organisation type in which a DPO is mandatory; we are not a public authority, our core activities do not require large scale monitoring of individuals, nor do they consist of large scale processing of special categories of data.
*Individuals’ rights: Putting you in control of your data
Withdrawal of consent
GDPR affords additional rights to individuals in relation to their personal data. Broadly these relate to transparency around what data is held and how it is used, as well as the right to have data updated or removed.
Anyone electing to provide AudienceNet with personal information (e.g. research participants) has the right to withdraw their consent, at any stage, with immediate effect. An individual can choose to withdraw their consent by opting-out or unsubscribing to any communication materials originated by AudienceNet. For live research projects, they can do so by emailing the named contact. Or, and for all other communications, they can do so by emailing firstname.lastname@example.org with the subject ‘Opt Out’. AudienceNet will remove all personal information held on the individual in question within 48 hours and provide final confirmation of removal by email. No further contact with that individual will subsequently be made.
Subject Access Requests(SARs)/Right to data portability
Anyone electing to provide AudienceNet with personal information (e.g. research participants, candidates for employment etc.) retains the right, at any stage, to have full transparency of the data held in relation to them by AudienceNet. Individuals can request a written account of all the personal information AudienceNet holds on them by emailing email@example.com with the subject ‘Subject Access Request’. AudienceNet undertakes to respond with full details within 48 hours, upon request. We will record all Subject Access Requests. Individuals have the right to receive their data in a portable way (i.e. electronically) so that it can be easily stored and accessed.
Right to object
Individuals have the right to object to the processing of their personal data providing they have grounds relating to their particular situation unless the processing of personal data is necessary for the performance of a public interest task. Individuals can object by emailing firstname.lastname@example.org with the subject “Right to Object”.
Right to erasure
Individuals have the right to request erasure of their personal data both in relation to their own personal data and/or on behalf of one’s children – this can be done verbally by calling the head office on 02077298059 or in writing by emailing email@example.com with the subject “right to erasure”. We will respond to all requests within 1 month. A log detailing any erasure requests will be kept internally.
Right to restriction
Individuals have the right to request the restriction of the processing or use of their personal data if they have issues with the content we hold or are unsure about how their data is being processed/used– this can be done verbally by calling the head office on 02077298059 or in writing by emailing firstname.lastname@example.org with the subject “right to restriction”. We will respond to all requests within 1 month. A log detailing any restriction requests will be kept internally.
Right to rectification
Individuals have the right to request the rectification of any data we hold if they believe it to be inaccurate or incomplete. This can be done verbally by calling the head office on 02077298059 or in writing by emailing email@example.com with the subject “right to rectification”. We will respond to all requests within 1 month.
What personal information do we collect from the people that visit our website?
We may determine the approximate location of your device from your IP address. We collect and use this information to calculate how many people visit our website from certain geographic regions. When completing our contact form, you will be asked to enter your name, email address or other details in order for us to respond.
When do we collect information?
We collect information from you when you subscribe to a newsletter, fill out a form or enter information on our site.
How do we use your information?
We may use the information we collect from you in the following ways:
• To improve our website in order to improve user experience
• To follow up with you after correspondence
How do we protect your information?
Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible.
Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential.
We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your personal information.
Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognise your browser and capture and remember certain information.
We use analytics cookies to understand how you use our website so we can monitor performance and ultimately improve user experience. The information is collected on our behalf by WordPress. The third parties’ software collects and stores that data (however, they won’t use your data for any purpose other than collecting and storing the data on our behalf). Members of our staff that deal with the above third parties will also have access to this data (no staff that don’t need to access the data for the above purpose will have access to it).
Some of our website features make use of third-party applications and services to enhance the experience of visitors. These include social media platforms, such as Facebook and Twitter (via our sharing feature). As a result, cookies may be set by these third parties and used by them to track your online activity. We have no direct control over or access to the information that is collected by these cookies. We recommend consulting the individual privacy policies of any such services for more information.
Complaints: If we do anything to upset you, please let us know – we’ll do our best to put it right!
AudienceNet strives to ensure that all individuals taking part in our research find the experience to be easy, convenient and engaging. We employ strict, ethical practices such that the content and administration of our research is in no way likely to cause offence or distress to participants. We also always reward individuals for their participation. Incentives are always administered within the timeframe specified at the beginning of the project (usually a week).
If for any reason you have been unsatisfied with your experience with us, or if you are concerned about how your data is being used, please email firstname.lastname@example.org with “Complaint” as the subject. We will endeavour to get back to you within 2 working days. If you are unhappy with how we have dealt with a complaint, you are able to escalate this to the Information Commissioner’s Office (ICO).