The EU General Data Protection Regulation (GDPR) is a recent regulation that addresses EU citizen’s personal data collection, use, processing and transferring in or outside of the EU. It applies to all EU member states and any entity that transfers personal data outside the EU.
2. How our market research services are liable for GDPR?
We offer market/public opinion research services, therefore, like other market research organizations we often collect personal data. Since we have our business activities in Sweden, as an EU state member, and often do research with EU citizens, we are liable for GDPR.
3. What are a data processor and a data controller? Which one are we?
GDPR regulation consists of two concepts: data processor and data controller. A data controller is basically an entity that makes decisions for purposes, conditions, and means of the processing of personal data, whereas, a data processor is an entity that processes personal data on behalf of the controller. We, as Square Culture, are actually both, and we collect personal data in our business activities and make an analysis of the data to curate insights for our clients.
4.What is personal data?
Personal data is any type of information that is relevant to a person (a Data Subject), that can be used to directly or indirectly identify the person. Examples for personal data might include photos, email addresses, bank details, social media, websites, medical information, IP addresses, a name etc.
5.What is participant consent for? What does this consent include?
Since we work with data subjects, we ask subjects to sign a consent form for collecting their data and processing them. In the consent form we ask if they approve sharing personal data with us and we clearly explain: why we collect their personal data, how we collect, what we will use it for, how we will save/terminate their data and who will be getting the generated data after we process data through analysis with a clear and concise language. In most cases, we need to keep our clients’ names confidential, we explain clients’ business activities and what the data will be used for such as product or service development.
6.Why do we need to keep our data subjects’ profiles confidential?
As a research consultancy that handles data subjects’ personal data, we have to keep the data confidential for participants to feel safe to share their information with us and we let them know where we store their data. Participants, the data subjects, need to be confident that their information is not shared with a third party and they will not be exposed to any type of harmful situation in the research. We keep their profiles confidential to not risk that any of their personal information is leaked and used unintentionally.
7.What happens with audio/video data we collected in research?
Based on the agreement with both the client and the data subject we either store the data in a safe environment or delete it permanently.
8.What kind of precautions do we take to protect our data subjects? How do we handle participant data?
To protect our participants taking part in our research we take several precautions when collecting information. We do not take any photographs of their faces. In case that they agree, we take pictures of the products and services that they use in a way that the person is not identifiable. We also change their names to protect their personal information. To make sure that the participant data is handled in a way that the participant agrees on, we get a written consent from the participant that allows us to be transparent with what data is collected by us and what purpose it serves.
9. How do we handle our website visitors’ personal information? Why and how do we collect personal data including names and email addresses on our website?
Square Culture is committed to protecting and respecting our visitors’ privacy, and we only use visitors’ personal information to inform them about our products & services, news, events and articles. Time to time we send newsletters to them for this purpose.
On the subscription form, we have a button and the following statement: “If you consent to us contacting you for this purpose given above, please tick the box.” In the case of clicking the box and hitting the submit button, the visitor confirms to get information from us regarding the subjects given above. There is also a note on the form which clearly states that we permanently delete personal information provided by the visitor at any point on the basis of request.
Regarding cookies, we collect neither cookies nor IP addresses which might include personal information.
10.Where do we store personal data? And why do we store personal data? How long do we keep it?
We store personal data for the following two reasons:
1.Sending marketing & sales content through the emails: specifically newsletters.
2. Collecting/analyzing our participants’ data
We collect personal data from our website visitors in the case that they engage with us through a subscription form which is mentioned in the previous question in detail. We keep the data until they ask for permanent removal. We store this type of data on Hubspot.
We collect and store personal data to conduct research and make analyses. We always get, mostly written, permission for personal data from our participants and we clearly state there why we collect, how we process, what kind of outcomes there would be and how we protect the participants from any harmful situations. We store research data including personal information from participants on Google Drive. We treat different data variously. We delete voice records and videos right after completing the project. We keep participant quotations, insights and anonymized photos (no showing bodies or faces) in the research file on Google Drive. Since they are all anonymized, we expect no harm to our participants from the research we conducted.
11. Deleting data for research based on request
During our research projects, we will process and control the data for our participants. The range of personal information gathered throughout this process is broad; it will include name, age, gender identity, living location, personal beliefs and ethics, and other information regarding consumer habits and perceptions. These will remain secured throughout the project and deleted immediately upon completion of the project. However, at any point during the research project, participants have the right to rescind their participation and our rights to their data. If a participant requests to do so, we will delete and destroy all personal information completed up to that date.
12. How we treat collaborators’ data – how can they opt out.
We reach out to international collaborators and B2B sales assistants. These posts are shared online with an invitation for interested parties to email in with some personal information. In response to these, we must email parties with a note on what data we store (i.e. Name, Location, e-mail address, other contact details), and how. We make it clear that the contact details are stored in a secure location and not shared with any third-party players, unless with express permission by our collaborators (in case of the need to share opportunities or connect the network). Our collaborators will also be made aware that we can email them as and when project opportunities arise that may be of interest to them.
Every time we send out an email to collaborators, we must provide them the opportunity to unsubscribe or remove their data from our system. We will do so immediately and permanently so that we no longer can process or control their personal data.