General Privacy Policy Date effective : 23rd of May 2018
Last revised: 23rd of May 2018

1. About us
“We”, “GfK NORM” are responsible for the processing of personal data that we collect from or about “you”. For example, we collect your personal data in the course of your participation in a market research activity, during a business relationship or when you visit our website or use our software applications. Since we are based in the European Union, we process your personal data in compliance with applicable European data protection laws and other statutory provisions. We are a market research company and a member of ESOMAR, an international organization focusing on developing better market research methods. We adhere to the professional standards which ESOMAR sets out for its members and, at the same time, protect your privacy as a participant in our market research activities.

2. What are personal data?
Personal data are information that directly or indirectly identifies you as an individual, indirectly meaning when combined with other information, for example, your name, postal address, email address and phone number, or a unique device identifier.

3. Use of personal data
We will use your personal data for the purposes as described below. We do not collect and process more or other types of personal data than are necessary to fulfill the respective purposes. We will only use personal data as set forth in this privacy policy, unless you have specifically provided your consent to another use of your personal data. If we intend to use your personal data that we process with your consent for purposes other than communicated in such consent, we will inform you in advance and, in cases where the processing is based on your consent, use your personal data for a different purpose only with your permission.

  1. Registration data and direct communication
    For many services we collect your personal data, like: name, postal address, phone number and email address (“Registration Data”). We use your Registration Data to communicate with you about our services and let you know about our policies and terms. We also use your Registration Data as well as the content of our communication to respond to you when you contact us.
  2. Use of customer data for advertising purposes
    To continuously improve and enhance our services, we may send you marketing communications via email relating to our business which may be of interest to you. You can choose if you want to receive at any time by updating your email preferences and unsubscribe for future direct communication
    Consent: We will not use your personal data for advertising purposes unless you have freely given your explicit and prior consent.
    However, for existing customers, we may use your email address that we obtained from you in the context of our existing customer relationship to provide you with marketing materials relating to similar products or services that you have previously requested, used or participated in. You may, however, object to such use at the time of collection and each time a message is sent. To opt-out of email marketing, follow the instructions within the email that you receive. Under no circumstances will we advertise to participants in market research projects.
  3. Legal obligations and legal defense, We may be required to use and retain personal data for legal and compliance reasons, such as the prevention, detection, or investigation of a crime, loss prevention, fraud or any other abuse of our services and IT systems. We may also use your personal data to meet our internal and external audit requirements, information security purposes, or to protect or enforce our rights, privacy, safety, or property, or those of other persons.
  4. Use of the GfK NORM Homepage (www.norm.gfk.com)
    This Privacy Policy also applies to your use of our website at www.gfk.com (“Website”), with the following privacy related mechanics and features.
    Cookies: Our Website uses cookies and other technologies to enhance the users’ experience and improve the Website’s performance, user friendliness and security. Please refer to our cookie policy for full details.
    Third party websites: As a convenience to our visitors, this website contains links to a number of websites that are not affiliated with, controlled, or managed by us. The policies and procedures we describe here do not apply to those websites. We are not responsible for the security or privacy of any data collected by these third General Privacy Policy parties. We suggest contacting those websites directly for information on their privacy policies.
Your current state:

 

Changing your consentWithdraw consent

 

 

4. Collection of personal data from other sources
We may sometimes collect personal data about you from sources other than you. For example, this may be the case if you have registered with a market research panel provider as a participant, and we are working with this provider to source participants in our research. The panel provider will then, subject to its privacy policy and your respective consent to its practices, transfer your personal data to us so that we are able to contact you. If the panel provider has not already informed you about the transfer of your personal data to us, then we will do so when we first contact you and you provide you with all information that is shared with us. We will do so upon the first contact.

If we collect personal data about you from other sources, then we either make sure that the source has already informed you in advance about the transfer, or we will notify you upon the first contact that we have received your personal data and provide you with all information required by law.

5. How we share personal data
We will disclose your personal data only for the purposes and to those third parties, as described below. GfK will take appropriate steps to ensure that your personal data are processed, secured, and transferred according to applicable law.

  1. Within GfK Group
    GfK NORM is part of a global organization (the “GfK Group”), consisting of several companies in and outside the European Union, all primarily owned by GfK SE in Germany. Your personal data may be transferred to one or more GfK Group affiliated companies as needed for data processing and storage, providing you with access to our services, providing customer support, making decisions about service improvements, content development and for other purposes as described in Section 3 of this Privacy Policy. We do not disclose personal data General Privacy Policy of participants in market research projects to third parties outside the GfK Group unless the participants have declared their prior explicit consent for the specific purpose.
  2. External service providers
    Where necessary, we will commission other companies and individuals to perform certain tasks contributing to our services on our behalf within the framework of data processing agreements. We may, for example, provide personal data to agents, contractors or partners for hosting our databases and applications, for data processing services, or to send you information that you requested, or to call-centers for the purpose of provision of support services or interviewing in the course of market research projects. We will only share with or make accessible such data to external service providers to the extent required for the respective purpose. This data may not be used by them for any other purposes, in particular not for their own or third party purposes. GfK NORM’s external service providers are contractually bound to respect the confidentiality of your personal data
  3. Customer Relationship Management (CRM)
    For Customer Relationship Management (CRM) purposes the contact information [name, email address, telephone number, address] of our customers, vendors or other contract partners is stored on our service partner Upsales’s servers in Sweden, please refer to section 6 for our international data transfer policy.
  4. Business transfers
    In connection with any reorganization, restructuring, merger or sale, or other transfer of assets (collectively “Business Transfer”), we will transfer data, including personal data, in a reasonable scale and as necessary for the Business Transfer, and provided that the receiving party agrees to respect your personal data in a manner that is consistent with applicable data protection laws. We will continue to ensure the confidentiality of any personal data and give affected users notice before personal data become subject to a different privacy policy.
  5. Public bodies
    We will only disclose your personal data to public bodies where this is required by law. GfK NORM will for example respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence.

6. International transfers of personal data
Under specific circumstances, it will also be necessary for GfK NORM to transfer your personal data to countries outside the European Union/ European Economic Area (EEA), so called “third countries”. Such third country transfers may refer to all processing activities describes under Sec. 3 of this Privacy Policy. This Privacy Policy shall apply even if we transfer personal data to third countries, in which a different level of data protection applies than in your country of residence. In particular, an international data transfer may apply in the following scenarios:

  1. Legal entities of GfK Group
    GfK Group’s legal entities outside the European Union have entered into intra-company data protection agreements using standard contractual clauses adopted by the European Commission to safeguard your privacy and legitimize international data transfers.
  2. Other third parties outside the EU / EEA
    Any transfers of personal data to third parties outside the GfK Group will be carried out with your prior knowledge and, where applicable, with your consent. Any transfers of personal data into countries other than those for whom an adequacy decision regarding the level of data protection was made by the European Commission, as listed on http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm, occur on the basis of contractual agreements using standard contractual clauses adopted by the European Commission or other appropriate safeguards in accordance with the applicable law.

7. Processing of personal data of children
GfK NORM will not collect or process personal data of children under 16 years – or under a lower age – unless with parental consent, pursuant to applicable local law. If we become aware that personal data from a child were inadvertently collected, we will delete such data without undue delay.

8. Processing of sensitive data
We may, in certain cases, process special categories of personal data concerning you (“sensitive data”). Sensitive data refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health or a natural person’s sex life or sexual orientation. We may for example process sensitive data that you manifestly have made public. We may also process sensitive data as necessary for the establishment, exercise or defense of legal claims. We may also process your sensitive data if you have freely given your prior, express and separate consent in a specific context for a specific purpose, such as in the course of your participation in a market research activity.

9. Security
GfK NORM takes data security seriously. We apply an appropriate level of security and have therefore implemented reasonable physical, electronic, and administrative procedures to safeguard the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements. Access to your personal data is granted only to those personnel, service providers or GfK NORM affiliates with a business need-to-know or who require it in order to perform their duties. In the event of a data breach containing personal data, GfK NORM will follow all applicable data breach notification laws.

10. Your legal rights
As a data subject you have specific legal rights relating to the personal data we collect from you. This applies to all processing activities stipulated under Section. 3 of this Privacy Policy. GfK will respect your individual rights and will deal with your concerns adequately. The following list contains information on your legal rights which arise from applicable data protection laws

  1. Right to withdraw consent:
    Where the processing of personal data is based on your consent you may withdraw this consent at any moment by following the procedures described in the respective consent form. We ensure that consent can be withdrawn by the same means as it was given – e.g., electronically. As a participant in a market research project please note that by withdrawing consent you typically end your participation in the respective project and will no longer be eligible for any rewards or incentives that GfK NORM may eventually offer to participants.
  2. Right to rectification:
    You may obtain from us rectification of personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us. In appropriate cases, we provide self-service internet portals where users have the possibility to review and rectify their personal data.
  3. Right to restriction:
    You may obtain from us restriction of processing of your personal data, if – you contest the accuracy of your personal data for the period we need to verify the accuracy, – the processing is unlawful and you request the restriction of processing rather than erasure of your personal data, – we do no longer need your personal data but you require them for the establishment, exercise or defense of legal claims, or – you object to the processing while we verify whether our legitimate grounds override yours.
  4. Right to access:
    You may ask us from us information regarding personal data that we hold about you, including information as to which categories of personal data we have in our possession or control, what they are being used for, where we collected them, if not from you directly, and to whom they have been disclosed, if applicable. You may obtain from us one copy, free of charge, of personal data we hold about you. We reserve the right to charge a reasonable fee for each further copy you may request.
  5. Right to portability:
    At your request, we will transfer your personal data to another controller, where technical feasible, provided that the processing is based on your consent or necessary for the performance of a contract. Rather than receiving a copy of your personal data you may request that we transfer the data to another controller, specified by you, directly.
  6. Right to erasure:
    You may obtain from us erasure of your personal data, where – the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; – you have a right to object further processing of your personal data (see below) and execute this right object to the processing; – the processing is based on your consent, you withdraw your consent and there is no other legal ground for the processing; General Privacy Policy – the personal data have been unlawfully processed; unless the processing is necessary – for compliance with a legal obligation which requires processing from us; – in particular for statutory data retention requirements; – for the establishment, exercise or defence of legal claims.
  7. Right to object:
    You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing or for the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you wish the erasure of your personal data or the restriction of its processing by us.
  8. Right to lodge a complaint:
    In case of an alleged infringement of applicable privacy laws, you may lodge a complaint with the data protection supervisory authority in the country you live in or where the alleged infringement occurred.

Please note

  • Time period: We will try to fulfill your request within 30 days. However, the period may be extended due to specific reasons relating to the specific legal right or the complexity of your request.
  • Restriction of access: In certain situations we may not be able to give you access to all or some of your personal data due to statutory provisions. If we deny your request for access, we will advise you of the reason for the refusal.
  • No identification: In some cases, we may not be able to look up your personal data due to the identifiers you provide in your request. Two examples of personal data which we cannot look up when you provide your name and email address are:
    – Data collected through browser-cookies
    – Data collected from public social media sites provided you have posted your comment under a nickname which is not known to us. In such cases, where we cannot identify you as a data subject, we are not able to comply with your request to execute your legal rights as described in this section, unless you provide additional information enabling your identification.
  • Exercise your legal rights: In order to exercise your legal rights, please contact our privacy helpdesk in writing or text from, e.g. by email or letter. You may also turn directly to our Data Protection Officer. For contact information please refer to the end of this Privacy Policy.

11. Retention of your personal data
In general, we will delete the personal data we collected from you if they are no longer necessary to achieve the purposes for which they were originally collected. However, we may be required to store your personal data for a longer period due to statutory provisions. In addition, we will not delete all of your personal data if you requested from us to refrain from recontacting you in the future. For this purpose, GfK NORM keeps records which contain information on people who do not want to be re-contacted in the future (e.g. by means of bulk emailing or recruiting campaigns for market research projects). We qualify your request as consent to store your personal data for the purpose of such record keeping unless you instruct us otherwise.

12. Changes to this Privacy Policy
We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy policy at any time. For this reason, we encourage you to refer to this privacy policy on an ongoing basis. This privacy policy is current as of the “last revised” date which appears at the top of this page. We will treat your personal data in a manner consistent with the privacy policy under which they were collected, unless we have your consent to treat them differently.

We will also keep prior versions of this Privacy Policy in an archive for your review.

13. Contact information

GfK NORM AB
Hälsingegatan 49
113 31 Stockholm, Sweden

Entered in the Commercial Register in Sweden: 556626-2290
Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to the data protection officer:
Email: dpoNorm@gfk.com