For starters, a little dictionary for you to understand everything correctly
Controller = an entity that determines how, why and to what extent personal data will be processed. In the case of research projects, it is usually the ordering party, that is our client, who is also legally obliged to respond to exercising the rights of respondents. In other cases (processing of personal data from the contact form on our website, processing of personal data in order to conclude a contract etc.), we (NMS) are the Controller.
Processor = an entity that processes personal data on behalf of the Controller. In the case of research projects, it is usually us, NMS.
Data subject = a natural person whose personal data are processed. In the case of research projects, natural persons are you, our respondents, and in other cases our clients, those interested in cooperation, job applicants and employees.
Personal data = any information according to which a natural person can be identified, i.e. by which you can exactly determine a specific person. It can be for example a name, a phone number, an e-mail address etc.
Processing = any operation or set of operations which is performed on personal data, for example their collection, recording, storage, use, deletion etc. In the case of research projects, it can be for example the use of a database of contacts for telephone interviewing, in other cases the use of personal data for preparation of an employment contract, for answering an enquiry, for a research project realization etc.
Pseudonymisation = the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information which is kept separately and is subject to technical and organisational measures. In the case of research projects, it is for example a situation in which we replace your personal data by a numeric code based on a certain key during processing. Without knowing this key, no one is able to identify you as the one hidden under the numeric code.
Technical and organisational measures = measures established by the Controller, or the Processor, to ensure appropriate protection of personal data processed. It can be, for example, the above mentioned pseudonymisation, protection of the devices (computers and servers) used for processing the data but also regular trainings of employees who process personal data.
And now to NMS and the processing of personal data.
What specifically do we do?
NMS is an established market research agency which executes research projects on various topics for its clients. Usually, we realize such projects using the following methods:
- On-line interviewing in an on-line panel (CASI)
- On-line interviewing on a client’s database (CAWI)
- Telephone interviewing (CATI) on our own or a client’s database
- Personal interviewing (CAPI)
- Qualitative research (for example focus group discussions, individual interviews, on-line communities, eye tracking camera etc.)
- Mystery Shopping.
The objective of these research projects is not a collection of personal data and details of an individual person, we process the collected data in bulk, we are interested in the overall information about behaviour, attitudes and opinions of population or specific target groups, not of a specific individual.
Despite that, while working on a research project, we cannot avoid the need to process data which come from individuals, in our case from respondents. They give us voluntarily their opinions at our disposal and we use these data exclusively for a given research purpose. At the same time, we commit ourselves to protect our respondents’ privacy – to the highest possible degree we work with anonymized or pseudonymized data and do not pass these on to unauthorized persons.
In the case of certain methods (such as telephone interviewing, on-line interviewing on a client’s database etc.) we also need respondents’ contact details to be able to interview them, alternatively we need to know the contact details for the subsequent check of our interviewers’ work. In some cases, we also must use personal data for administrative reasons, for example to reward focus group participants. In all the situations we try to reduce the processing of personal data as much as possible. Technical-organizational processes are set in our company to protect respondents’ privacy in accordance with the EU REGULATION and the professional ethical rules.
To what extent and for what purpose do we process personal data?
Your personal data are processed to such an extent in which you or the ordering party of a research project provided them to us, and these personal data can be processed for the following purposes:
- research purposes (contacting respondents for an interview, recruitment of respondents, analysis of video recordings etc.) – it takes place with consent of the respondent, rightful interest of the ordering party of the research,
- rewarding participants of a research project (e. g. remuneration for participation in a focus group discussion) – based on a payslip signed by the respondent,
- the processing based on other legal regulations (e.g. Archiving Administration and Filing Service Act),
- rightful interest of the Controller (check of data quality, check of interviewers’ work etc.),
- concluding a contract (employment contract, agreement to perform work, contract for work etc.),
- HR purposes – processing personal data from the CVs sent by job applicants, processing employees’ personal data, sending offers for cooperation to external co-workers etc.,
- commercial purposes – answering an enquiry, research project realization etc., marketing purposes (such as sending news from NMS, invitations to our events etc.).
Where do we get personal data?
- directly from you – personal data and other information voluntarily provided within a research project in which you can for example express your opinion on products and services and thus contribute to their further improvement, or else during recruitment into research projects, from enquiries, received CVs, business cards handed over to us, concluded contracts,
- your personal data (mostly contacts) were provided to us for a research project by the company whose product or services you bought or used, or in which you are employed,
- we have our own database – database of respondents into which you were filed with your voluntary and explicit consent because you regularly cooperate with us and want to take part in our research projects.
What personal data do we process?
Usually, the following categories of personal data are processed:
- Identification data of respondents/clients/employees/external co-workers – name, surname including titles/degrees, address, company and other company details, date of birth, birth certificate number, ID number
- contact details of respondents/clients/employees/external co-workers – e-mail address, phone number,
- basic sociodemographic characteristics (sex, age etc.),
- information about consumer behaviour (e.g. shopping behaviour, monthly spend with the ordering party of the research, used products etc.),
- audio/audio-visual materials (recordings, video recordings, photographs),
- data about location (GPS in the case of personal interviewing which serves solely for checking our interviewers’ work).
We always process only the necessary personal data included in the list above, depending on the specific purpose of the processing (for example we do not process our clients’ birth certificate numbers and ID numbers), on the scale of the research project or alternatively on the data provided by the ordering party about their own customers.
To whom do we hand personal data over?
We always try to reduce the transmission of personal data to the lowest possible degree (in research projects by the means of anonymization or pseudonymization of data). In some cases, however, we cannot avoid that completely (for example when handing over the recordings of group discussions to the ordering party, interconnecting the research results with the ordering party’s database, using external co-workers, processing of accounting books etc.).
Therefore, in some cases personal data are handed over to these recipients:
- the ordering party of a research project (respondents are always informed in advance),
- other processors – see below,
- state and other authorities to fulfil our obligations established by legal regulations.
Which personal data do we process and how do we protect them?
The processing of personal data is carried out in our office and in NMS branches by our employees, alternatively by other processors (see below). The processing is done using computer technologies (mostly statistic, office and accounting software, alternatively our own NMS applications), or also in a manual way in the case of personal data on a paper form, while observing appropriate security principles for the administration and the processing of personal data. For this purpose, NMS has taken technical-organizational measures to ensure the protection of personal data, especially those which will prevent unauthorized or accidental access to personal data, their change, damage or loss, unauthorized transfers, their unauthorized processing as well as other misuse of personal data. Any subject to whom personal data may be disclosed respects the privacy rights of data subjects and is obliged to abide by the applicable personal data regulations and is contractually bound to such behaviour.
How long do we process personal data?
Personal data of respondents
We process your personal data for the duration of the research project and keep them for a maximum period of 6 months after its completion, if legal regulations or contractual provision with the ordering party of the research project does not state otherwise.
Personal data of clients
We process your personal data to ensure mutual rights and obligations given by the contract, or the research project, always for at least the duration of the contract or the research project, but no more than 3 years after the last joint research project.
Personal data of employees, external co-workers, job applicants
We are obliged to keep personal data of employees for 10 years and their earning records for 30 years. For record sheets, the retention period is 3 years. For our external co-workers, it is 10 years. However, it is possible to request the erasure of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council. If you applied for a job in NMS, we can keep your data for up to 3 years.
What other processors do we use?
In some cases, we are helped with the processing of personal data by other processors, specifically:
- communication platform providers (e-mail, calendar, shared documents) and SMS system providers
- storages and streaming of multimedia recordings
- external payroll accountant
- external co-workers who, based on mandate, general or other contract, perform the processing of personal data within individual projects (mostly interviewers, operators, mystery shoppers, inspectors, recruiters, external moderators etc.).
However, it is not just about us. You also have your rights regarding personal data which we are happy to inform you about. Specifically, they are:
Right to information
If we process your personal data, you have the right to require free information about the processing at any time (in particular the identification of the controller and processor, or other processors; information on the purposes of the processing, the category of personal data concerned, the recipients or the category of recipients of personal data, the time for which personal data will be processed and stored; all available information about the source of personal data; whether the processing is carried out on the basis of a legitimate interest of the controller or the third party; information on whether there is automated decision making, including profiling). We will be happy to provide you with the information. If, however, we evaluate your request as manifestly unfounded or excessive, especially if it is repeated, we may refuse to oblige you with responding to such request or impose a reasonable fee taking into account the administrative costs of providing the requested information or communication or taking the required action.
Right to rectification
If you find out that the personal data we are processing about you are not valid, you have the right to require their rectification.
Right to object
If you believe, we are processing your personal data in violation of applicable legislation, you may object to such processing and ask us for clarification, require that we remove such a situation, in particular you may request blocking, rectification, addition or deletion of personal data. Contact us at any time by calling us on 222 351 611 or by e-mail on firstname.lastname@example.org or visit us in person.
You also have the right to submit a complaint against personal data processed to the relevant supervisory authority, the Office for Personal Data Protection, Pplk. Sochora 727/27, 170 00 Praha 7.
Right to erasure and withdrawal of consent
You may withdraw your consent with the processing of personal data you gave us at any time and in such a case all your personal data will be erased. The right to erasure does not concern personal data which we need to meet our legal obligations or to protect our legitimate interests. Your personal data will also be erased if they are no longer needed for the research project or another cooperation or if their storage is inadmissible for other statutory reasons, or if your objection to the processing of your personal data is considered justified.
Right to restriction of processing
You have the right to ask us for the restriction of processing if you believe the personal data we hold about you are inaccurate, their processing is unlawful, we do not need the personal data for the given research project, and in case you raise an objection and its evaluation is under way.
Right to data portability
If you gave us your consent to the processing of personal data or the processing is necessary to perform a contract or to implement the measures taken prior to the conclusion of the contract and the processing is automated, you have the right to ask us to provide you with the personal data which we hold about you in a structured, commonly used and machine-readable format.
Right not to be part of automated individual decision-making, including profiling
You have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if you consent to automated decision-making, including profiling, if it is necessary for entering into a contract or if it is authorized by the law.
What if you do not want to provide us with your personal data?
No problem, it is your right. But it is possible you will not be able to participate in some of our researches as respondents, which is a shame because your opinion matters. In our researches, you can for example evaluate providers of various services, praise them, complain, or help with the selection of a new product which might not have entered the market yet. And that is worth it 😊.
Whom can you contact?
If you have any additional questions, feel free to contact us. As well as if you want to claim any of your rights.
NMS Market Research s.r.o.
U Nikolajky 1070/13
150 00 Praha 5 – Smíchov
Phone: 222 351 611