Last revised: 23rd of May 2018
1. About us
“We”, “GfK NORM” are responsible for the processing of personal data that we collect from or about “you”. For example, we collect your personal data in the course of your participation in a market research activity, during a business relationship or when you visit our website or use our software applications. Since we are based in the European Union, we process your personal data in compliance with applicable European data protection laws and other statutory provisions. We are a market research company and a member of ESOMAR, an international organization focusing on developing better market research methods. We adhere to the professional standards which ESOMAR sets out for its members and, at the same time, protect your privacy as a participant in our market research activities.
2. What are personal data?
Personal data are information that directly or indirectly identifies you as an individual, indirectly meaning when combined with other information, for example, your name, postal address, email address and phone number, or a unique device identifier.
3. Use of personal data
- Registration data and direct communication
For many services we collect your personal data, like: name, postal address, phone number and email address (“Registration Data”). We use your Registration Data to communicate with you about our services and let you know about our policies and terms. We also use your Registration Data as well as the content of our communication to respond to you when you contact us.
- Use of customer data for advertising purposes
To continuously improve and enhance our services, we may send you marketing communications via email relating to our business which may be of interest to you. You can choose if you want to receive at any time by updating your email preferences and unsubscribe for future direct communication
Consent: We will not use your personal data for advertising purposes unless you have freely given your explicit and prior consent.
However, for existing customers, we may use your email address that we obtained from you in the context of our existing customer relationship to provide you with marketing materials relating to similar products or services that you have previously requested, used or participated in. You may, however, object to such use at the time of collection and each time a message is sent. To opt-out of email marketing, follow the instructions within the email that you receive. Under no circumstances will we advertise to participants in market research projects.
- Legal obligations and legal defense, We may be required to use and retain personal data for legal and compliance reasons, such as the prevention, detection, or investigation of a crime, loss prevention, fraud or any other abuse of our services and IT systems. We may also use your personal data to meet our internal and external audit requirements, information security purposes, or to protect or enforce our rights, privacy, safety, or property, or those of other persons.
- Use of the GfK NORM Homepage (www.norm.gfk.com)
Your current state:
Changing your consent | Withdraw consent
|gdpr_cookie||norm.gfk.com||Stores the user's cookie consent state for the current domain||1 year|
|_oklv||norm.gfk.com||the Olark loader version (for improved caching)||Session|
|hblid||norm.gfk.com||a visitor identifier that we use only on your site to remember this visitor between visits||2 years|
|wcsid||norm.gfk.com||a session identifier that we use only on your site to keep track of a single chat session||Session|
|__utmt||norm.gfk.com||Used to throttle request rate.||10 minutes|
|__utmc||norm.gfk.com||Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.||End of browser session|
4. Collection of personal data from other sources
If we collect personal data about you from other sources, then we either make sure that the source has already informed you in advance about the transfer, or we will notify you upon the first contact that we have received your personal data and provide you with all information required by law.
5. How we share personal data
We will disclose your personal data only for the purposes and to those third parties, as described below. GfK will take appropriate steps to ensure that your personal data are processed, secured, and transferred according to applicable law.
- Within GfK Group
- External service providers
Where necessary, we will commission other companies and individuals to perform certain tasks contributing to our services on our behalf within the framework of data processing agreements. We may, for example, provide personal data to agents, contractors or partners for hosting our databases and applications, for data processing services, or to send you information that you requested, or to call-centers for the purpose of provision of support services or interviewing in the course of market research projects. We will only share with or make accessible such data to external service providers to the extent required for the respective purpose. This data may not be used by them for any other purposes, in particular not for their own or third party purposes. GfK NORM’s external service providers are contractually bound to respect the confidentiality of your personal data
- Customer Relationship Management (CRM)
For Customer Relationship Management (CRM) purposes the contact information [name, email address, telephone number, address] of our customers, vendors or other contract partners is stored on our service partner Upsales’s servers in Sweden, please refer to section 6 for our international data transfer policy.
- Business transfers
- Public bodies
We will only disclose your personal data to public bodies where this is required by law. GfK NORM will for example respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence.
6. International transfers of personal data
- Legal entities of GfK Group
GfK Group’s legal entities outside the European Union have entered into intra-company data protection agreements using standard contractual clauses adopted by the European Commission to safeguard your privacy and legitimize international data transfers.
- Other third parties outside the EU / EEA
Any transfers of personal data to third parties outside the GfK Group will be carried out with your prior knowledge and, where applicable, with your consent. Any transfers of personal data into countries other than those for whom an adequacy decision regarding the level of data protection was made by the European Commission, as listed on http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm, occur on the basis of contractual agreements using standard contractual clauses adopted by the European Commission or other appropriate safeguards in accordance with the applicable law.
7. Processing of personal data of children
GfK NORM will not collect or process personal data of children under 16 years – or under a lower age – unless with parental consent, pursuant to applicable local law. If we become aware that personal data from a child were inadvertently collected, we will delete such data without undue delay.
8. Processing of sensitive data
We may, in certain cases, process special categories of personal data concerning you (“sensitive data”). Sensitive data refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health or a natural person’s sex life or sexual orientation. We may for example process sensitive data that you manifestly have made public. We may also process sensitive data as necessary for the establishment, exercise or defense of legal claims. We may also process your sensitive data if you have freely given your prior, express and separate consent in a specific context for a specific purpose, such as in the course of your participation in a market research activity.
GfK NORM takes data security seriously. We apply an appropriate level of security and have therefore implemented reasonable physical, electronic, and administrative procedures to safeguard the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements. Access to your personal data is granted only to those personnel, service providers or GfK NORM affiliates with a business need-to-know or who require it in order to perform their duties. In the event of a data breach containing personal data, GfK NORM will follow all applicable data breach notification laws.
10. Your legal rights
- Right to withdraw consent:
Where the processing of personal data is based on your consent you may withdraw this consent at any moment by following the procedures described in the respective consent form. We ensure that consent can be withdrawn by the same means as it was given – e.g., electronically. As a participant in a market research project please note that by withdrawing consent you typically end your participation in the respective project and will no longer be eligible for any rewards or incentives that GfK NORM may eventually offer to participants.
- Right to rectification:
You may obtain from us rectification of personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us. In appropriate cases, we provide self-service internet portals where users have the possibility to review and rectify their personal data.
- Right to restriction:
You may obtain from us restriction of processing of your personal data, if – you contest the accuracy of your personal data for the period we need to verify the accuracy, – the processing is unlawful and you request the restriction of processing rather than erasure of your personal data, – we do no longer need your personal data but you require them for the establishment, exercise or defense of legal claims, or – you object to the processing while we verify whether our legitimate grounds override yours.
- Right to access:
You may ask us from us information regarding personal data that we hold about you, including information as to which categories of personal data we have in our possession or control, what they are being used for, where we collected them, if not from you directly, and to whom they have been disclosed, if applicable. You may obtain from us one copy, free of charge, of personal data we hold about you. We reserve the right to charge a reasonable fee for each further copy you may request.
- Right to portability:
At your request, we will transfer your personal data to another controller, where technical feasible, provided that the processing is based on your consent or necessary for the performance of a contract. Rather than receiving a copy of your personal data you may request that we transfer the data to another controller, specified by you, directly.
- Right to erasure:
- Right to object:
You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing or for the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you wish the erasure of your personal data or the restriction of its processing by us.
- Right to lodge a complaint:
In case of an alleged infringement of applicable privacy laws, you may lodge a complaint with the data protection supervisory authority in the country you live in or where the alleged infringement occurred.
- Time period: We will try to fulfill your request within 30 days. However, the period may be extended due to specific reasons relating to the specific legal right or the complexity of your request.
- Restriction of access: In certain situations we may not be able to give you access to all or some of your personal data due to statutory provisions. If we deny your request for access, we will advise you of the reason for the refusal.
- No identification: In some cases, we may not be able to look up your personal data due to the identifiers you provide in your request. Two examples of personal data which we cannot look up when you provide your name and email address are:
– Data collected through browser-cookies
– Data collected from public social media sites provided you have posted your comment under a nickname which is not known to us. In such cases, where we cannot identify you as a data subject, we are not able to comply with your request to execute your legal rights as described in this section, unless you provide additional information enabling your identification.
11. Retention of your personal data
In general, we will delete the personal data we collected from you if they are no longer necessary to achieve the purposes for which they were originally collected. However, we may be required to store your personal data for a longer period due to statutory provisions. In addition, we will not delete all of your personal data if you requested from us to refrain from recontacting you in the future. For this purpose, GfK NORM keeps records which contain information on people who do not want to be re-contacted in the future (e.g. by means of bulk emailing or recruiting campaigns for market research projects). We qualify your request as consent to store your personal data for the purpose of such record keeping unless you instruct us otherwise.
13. Contact information
GfK NORM AB
113 31 Stockholm, Sweden
Entered in the Commercial Register in Sweden: 556626-2290
Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to the data protection officer: