If your organization is considering to conduct a market research or to purchase a consumer report using service of a third-party provider there are several aspects of data protection law that should be considered.
Today, many companies offer a service focused on global public opinion and conduct consumer research. You can purchase tailored results from famous market researchers such as YouGov, GlobeScan, Valued Opinions, Triaba, Branded Surveys, Toluna, etc. to evaluate your products or your brand recognition worldwide. Some of these providers claim to not collect or share with your organization personal data, but to provide fully anonymized research result. However, if personal details from survey participants such as their name, email address, etc. are not included, it does not mean that the survey is truly anonymous. Individual opinion, preferences and feedback are also considered personal data, so if you can trace data to the survey respondent in any way, then the survey content is personal data.
Data Protection Responsibility
Your organization should consider signing a data sharing agreement with the third-party service provider conducting market research or consumer report for you, even if the service provider claims that there will be no personally identifiable data shared with you from the survey panellists. The panel providers are the data controllers in respect of their permission-based panel of consumers and it is possible that your organization acts as data controller for the panellists’ personal data to the extent they are used to carry out research on your behalf. Importantly, this can apply even if solely service provider processes the personal data, and your organization does not process or receive any personal data.
Under GDPR, the controller is the entity determining the purposes and means of the processing of personal data, Art. 4 (1) lit. 7 GDPR. It is not necessary that the controller actually has access to the data that is being processed. Someone who outsources a processing activity and in doing so, has a determinative influence on the purpose and essential means of the processing (e.g. by adjusting parameters of a service in such a way that it influences whose personal data shall be processed), is to be regarded as controller even though he or she will never have actual access to the data (Section 42, page 16, European Data Protection Board (“EDPB”) Guidelines 07/2020). The guidelines also include an example on such controllership for market research companies:
"Market research Company ABC wishes to understand which types of consumers are most likely to be interested in its products and contracts a service provider, XYZ, to obtain the relevant information.
Company ABC instructs XYZ on what type of information it is interested in and provides a list of questions to be asked to those participating in the market research.
Company ABC receives only statistical information (e.g., identifying consumer trends per region) from XYZ and does not have access to the personal data itself. Nevertheless, Company ABC decided that the processing should take place, the processing is carried out for its purpose and its activity and it has provided XYZ with detailed instructions on what information to collect. Company ABC is therefore still to be considered a controller with respect of the processing of personal data that takes place in order to deliver the information it has requested. XYZ may only process the data for the purpose given by Company ABC and according to its detailed instructions and is therefore to be regarded as processor. ”
In case your organization will determine the circumstances of the consumer research or market survey to a large extent, e.g. create the questionnaire and monitor the results’ collection. This implies that your organization will determine the purposes and means of the processing, that's why your organization would then act jointly with the service provider as controller for processing the panellists’ personal data.
We thus recommend re-evaluating your role and your service provider role in order to comply with applicable data protection requirements, such as the need of concluding joint controller agreement Art. 26 (1) Sentence 1 GDPR or a data processing agreement, Art. 28 GDPR.
An interesting example is the ruling of CJEU C-210/16 from 5 June 2018 where the Court of Justice of the European Union defined Wirtschaftsakademie Schleswig-Holstein GmbH and Facebook Ireland Ltd both controllers of a Facebook fan page. Neither Wirtschaftsakademie nor Facebook Ireland notified the storage and functioning of the cookie or the subsequent processing of the data, therefore either data controller could be held liable for the entire damage by the data subject. For this reason it is essential for joint data controllers to determine their respective responsibilities by means of an arrangement, make it available to the data subjects, and establish a point of contact.
Applicability of GDPR
As the GDPR is an European Union regulation, it applies to the processing of personal data in the context of the activities of a controller or a processor in the European Union, regardless of whether the processing takes place in the Union or not, Art. 3 (1) GDPR.
This Regulation applies as well to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or (b) the monitoring of their behavior as far as their behavior takes place within the European Union - Art. 3 (2) GDPR.
Legal Basis for Processing
Even if you are not conducting a market survey yourself, but you engage a survey provider to do it for you, in a role of (joint) controller you have to make sure that the survey data was collected in a GDPR compliant way. This means that companies conducting market research studies must demonstrate to have a legal basis for processing personal information to comply with Article 6 of the GDPR.
This means that market researcher should ask participants to consent to using their personal information for a specific reason. They will have to obtain consent before a survey is conducted to gather opinions and demographic information for that purpose. However, it is important to know the same company may not use that personal information for a different set of services without regaining consent.
In addition, companies can try to collect customer information for a legitimate interest, which may include checking to see if customers are satisfied upon receiving an ordered service or double-checking information that is collected in an interview setting. However, the GDPR specifies that legitimate interest is only given when a company puts subject data’s personal interest over its own interest, therefore for legitimate interest the company must limit data collection to only that information required to reach the stated goal.
Necessary Data Protection Safeguards
If you have concluded that your organization falls under the GDPR rules make sure you have considered all necessary steps.
Panellists need to be provided with all information at the start of the survey before any data is collected, such as purpose for processing, identity of controllers and processors and its representatives, type of information that will be processed, information about whether data will be exposed to third parties, option to withdraw consent at any time, information about transfer of data, if any. The easiest is to have prepared a privacy statement to be shared with participants at the moment they express interest to participate in the research.
If survey data is collected based on consents it is very important to keep a good record of it, especially to capture who, when, what and how consented.
Ultimately, make sure you have considered whether your role in determination of a survey, even if it is conducted by a third-party service provider, requires a joint controller or data processing agreement between your organization and the service provider. Even if the service provider claims a data sharing agreement between you both is not necessary, insist on signing one to ensure your compliance.
■
Comments