The EU General Data Protection Regulation (GDPR) came into effect on 25 May 2018. GDPR is the most significant data privacy regulation introduced in more than 20 years. It mandates new requirements for the collection, processing and transfer of the Personal Data of EU citizens and comes with high fines and sanctions for noncompliance. It introduces many requirements including the requirement to implement and demonstrate compliance.
The GDPR will have significant impact on research organizations that collect and process Personal Data. For more information about the GDPR, you can visit Cint’s GDPR compliance page at: https://www.cint.com/gdpr
Cint places the highest priority on managing Personal Data in compliance with GDPR and accepted Information Security compliance practices. This document provides essential information about Cint’s GDPR Compliance.
Cint’s GDPR Compliance Program Overview
Cint has developed and implemented a compliance program that addresses GPDR requirements. Key components of the program include:
-
Senior management awareness, sponsorship and regular compliance team reporting
-
PIA and DPIA process
-
Data Protection Officer appointment
-
Regular privacy notice review and update
-
Consent engine supporting consent by purpose
-
Subject Access Request (SAR) process
-
GDPR-compliant contract frameworks
-
Breach notification
-
Data Protection by Design
-
Staff training
-
On-going program governance
GDPR compliance and stakeholder roles are presented below:
Stakeholder |
Data Subject, Data Controller or Data Processor? |
Roles and Responsibilities |
Panelists/Participants |
Data Subject |
|
Supply Partners (Including Panel Owners) |
Data Controller |
|
Cint |
Data Processor
|
|
|
Data Controller |
|
Cint Clients (Sample/Survey/Research |
Data Controller for Personal Data Client collects (in accordance with agreement with Cint) |
|
|
Data Processor for any Personal Data provided by Cint (in accordance with agreement with Cint) |
|
Cint will support definitions of the age of child (where parental consent is required for collection and processing or Personal Data) as defined by the GDPR and different EU member states.
Consent
Consent is collected and used as the primary legal basis for the collection and processing of Personal Data (Cint may use other legal bases for certain types of processing if required). Cint will collect, validate and store consent by purpose for all Panelists and participants. Consents collected include:
-
Privacy Notice and T&Cs
-
Participation in surveys and other market research activities
-
Participation in usage of cookies for market research purposes
-
Other consents by purpose
Panel Members can review, modify or revoke their consents at any time.
Other Legal Bases
Performance of Contract. Cint uses "performance of contract" for Research Participants that withdraw their consent for processing, request that their personal data be deleted, etc. As stated above, Cint uses Consent for Cint to most effectively support Data Subject rights.
Legitimate Interest. Cint uses "legitimate interests" for the anti-fraud activities in cases where consent hasn't yet been obtained. As Cint processes data of research participants and provides access to many clients we see consent as preferred approach.
Data Subject Access Requests
Under GDPR, Data Subjects have the following rights:
-
Right to be informed about processing
-
Right of access
-
Right to rectification
-
Right to erasure
-
Right to restrict processing
-
Right to data portability
-
Right to object to processing
To address these rights, Cint has implemented a subject access request (SAR) process that addresses all applicable Data Subject rights. Cint administers SARs on behalf of Supply Partners (Data Controllers).
SARs are tracked and administered via Cint’s Panelist Member Helpdesk system, which addresses response time requirements and records all interactions with Data Subjects. The key components of Cint’s SAR process include:
-
Identity is validated#
-
Request is reviewed
-
A date for response is calculated (initially 30 days)
-
Personal Data requested is carefully screened for appropriateness to the request
-
Personal Data shared is provided via a secure channel
-
Necessary records are maintained
Data Deletion
Cint uses the ISO 26362 (Access Panels in market, opinion and social research) definition of an active Panelist. That is, a Panel member who registered to join a Panel, has participated in at least one survey if requested or has updated his/her profile data within the last 12 months.
Panel member data is deleted automatically at a pre-determined time after a panelist becomes inactive or immediately upon Panelist request.
Data Transfer
Cint processes and stores all Personal Data for EU citizens in the EU. Any transfer of Personal Data out of the EU only takes place when required for services fulfillment via Data Processing Agreements (DPAs) or other appropriate agreements.
Information Security
Cint supports the information security requirements mandated by GDPR, including appropriate physical, technical and organizational measures (using the ISO 27001 framework) to ensure a level of security appropriate to risk. This also includes GDPR requirements like data breach notification. Cint has implemented encryption of Personal Data in transit and is implementing encryption at rest. Cint is also enhancing its authentication and authorization systems to better protect Personal Data.
Cint’s Data Protection Officer
Cint has appointed a Data Protection Officer (DPO) whom you can contact if you have any questions about Cint’s GDPR program:
Peter Milla
Comments
0 comments
Article is closed for comments.