1. In summaryBelow, we tell you in detail how we use and store all of your personal and web-use data but, in summary, any personal information you give to us or that our clients give us about you is safe and confidential: we store all of your information on a secure server and never share any of your personal details with anybody outside of CJM Research for their mailing or marketing purposes without your prior consent.
We only process our client’s data for the purposes of legitimate market research to help them improve their services and make more informed decisions to improve and develop their organisation.
We comply with the UK Market Research Society (https://www.mrs.org.uk) professional standards and guidelines and aim to provide all participants in our research with enough information to allow them to make informed decisions about whether to participate or not and why the research is being conducted.
All participation in our research is voluntary and participants can withdraw their willingness to participate at any time. We only store personal details for as long as is required for its original purpose after which your personal data will either be deleted completely or anonymised.
Callum MacKinnon, owner of CJM Research is a full member of the Market Research society and is registered with the Information Commissioner's Office under registration reference Z260205X.
2. IntroductionThis Privacy Notice explains in detail the types of personal data we may collect or process. It also explains how we’ll store and handle that data, and keep it safe.
Explaining some key termsThe law on data protection sets out a number of different reasons for which a company may collect and process your personal data, including:
Legitimate interest: This is the main reason we would be processing personal information. To provide services to our clients, we require personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. For example, we may send you a survey on behalf of one of our clients where you are their customer or employee for the purposes of legitimate market research to help our clients develop their business.
Consent: In specific situations, we can collect and process your data with your consent. For example, when you tick a box to receive email newsletters or sign up to become a mystery visitor.
When collecting your personal data, we’ll always make clear to you which data is required in connection with the research in question.
Contractual obligations: In certain circumstances, we need your personal data to comply with our contractual obligations.
For example, if you become our client we will collect and store your contact information in order for us to conduct our work for you.
Legal compliance: If the law requires us to, we may need to collect and process your data.
For example, we can pass on details of people involved in fraud or other criminal activity affecting CJM Research to law enforcement.
Your personal detailsYour privacy is important to us, which is why we will never release your personal details to any company outside of CJM Research, or our clients. Where we provide information to clients this is only if you have given permission for us to do so and only the specific information you have asked us to share (we do not provide all your feedback just what you have asked us to provide. For example if you have had a problem and during a survey ask to be contacted about the problem we would send our client your contact information and the detail of the problem but not the answers to the whole survey).
We never share personal data with other companies/organisations for their mailing or marketing purposes unless you give clear consent to do so (although we reserve the right to disclose this information in the circumstances set out below).
We treat all of your personal information as confidential and keep it on a secure server.
When we may use your personal detailsWe typically handle personal information when acting on behalf of our client’s in conducting market research. For example, to send customers or employees an online survey. All our emails and surveys provide an option to unsubscribe from future mailings for that project.
We also handle personal information of interviewers and mystery visitors who work for us.
Occasionally we will contact our clients to keep them up-to-date with our products and services. This may include news of special events, promotions, product launches and new services.
You have the right to request a copy of any information that we hold about you at any time, and also to have that information corrected if it is inaccurate. To view any information you have disclosed, contact Callum MacKinnon, CJM Research, 12 Nasmyth Avenue, Bearsden G61 4SQ or email to email@example.com
Nothing in these Terms and Conditions affects your rights under the Data Protection Act 1998.
3. When do we collect your personal data?The following are some examples of when we collect your personal data:
- When you choose to complete any surveys we send you from CJM Research or on behalf of our clients they will provide us with data extracts of customers, potential customers, employees or other stakeholders.
- When you enter prize draws or competitions.
- When you register your interest as a mystery visitor or interviewer
- When we process our supplier, subcontractor or interviewer payments
- When you agree to participate in a focus group, hall test, depth interview or other research
- When our clients request or register an account for our online reporting
- When you create an account with us
- When you engage with us on social media
- When you contact us by any means with queries, complaints etc
- When you ask one of our staff to email you information
- When you book any kind of appointment with us or book to attend an event, for example a seminar or meeting
- When you comment on or review our products and services. Any individual may access personal data related to them, including opinions. So if your comment includes information about one of our client’s staff who provided that service, it may be passed on to them if requested. If it is passed on your details will be anonymised.
- When you’ve given a third party permission to share with us the information they hold about you.
- We collect data from publicly available sources (such as Land Registry) when you have given your consent to share information or where the information is made public as a matter of law.
- When you visit our premises we have CCTV systems operated for the security of both clients and our staff. These systems may record your image during your visit.
4. What sort of personal data do we collect/process?The following are some examples of the sort of personal data we collect/process:
- The most common type of personal data we process is our clients’ customer or employee details in order to send survey invitations. This is typically a name and email address. This information is usually only used to send invitations and is not stored in the survey responses, unless you provide it or give permission during the survey
- Sometimes we will process and store other information that is relevant to the research such as type of customer, age or gender. This is usually anonymised and if not personal details are deleted at the earliest reasonable opportunity
- During surveys, we often ask respondents for demographic information such as their age, gender occupation etc. This is done to allow us to compare different groups of people and is not used to identify you as an individual. Whenever we ask these questions we always give an option to not answer these questions
- Sometimes we gather information from participants who want our clients to contact them, for example about a problem they have had. We will gather your details and pass them to our client for this purpose. We will only transfer the minimum information to clients to allow them to deal with your request and will not provide all your data
- We often will offer the opportunity to participate in a prize draw for completing our surveys. Participation in the prize draw is totally voluntary and we explain why we are gathering your details. We only store personal information for the minimum time required and when a winner is drawn only your contact details are provided to our client to notify you of your win. We do not provide any survey responses as part of the prize draw information
- When you agree to participate in a focus group we will gather your personal details (name, telephone and signature) to provide information about the group, to confirm your attendance and as evidence of attendance. This is stored separately from any audio or visual recording and we do not record your name. If we video a focus group or workshop we will record your participation in the focus group but we will notify you of this in advance and get your informed consent
- We securely store and process the bank details of our interviewers, mystery visitors, suppliers and sub-contractors to allow us to pay them
- Details of your visits to our websites or apps, and which site you came from to ours
- We store personal information about mystery visitors, interviewers and sub-contractors to allow us to communicate with them
- Your image may be recorded on CCTV when you visit our premises
- Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback
5. How and why do we use your personal data?We want to help our clients understand, measure, develop and improve their products and services to make their business better. An important way to do this is through market research. We will often use personal information of customers, clients, employees and stakeholders, supplied by our clients, to conduct this research.
The data privacy law allows this as part of our clients’ legitimate interest in understanding their business, their customers, employees and providing the highest levels of service.
Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.
All the research we conduct is voluntary and we will inform you of its purpose and allow you the decision to participate or not in advance. You can refuse to participate or withdraw your permission to participate at any time. We follow UK Market Research Society standards and guidelines for conducting research. These can be found here
Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide some services you’ve asked for.
Here’s how we’ll use your personal data and why:
- To send you survey invitations, feedback requests or focus group/workshop invitations to help improve our or our clients’ services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our or our clients’ products or services more relevant to you. Of course, you are free to opt out of receiving these requests from us at any time by clicking the opt-out link included in our survey invitations or by contacting us directly at the address or email provided below
- To respond to your queries, requests and complaints. Handling the information you sent enables us to respond. We may also keep a record of these to inform any future communication and to demonstrate how we communicated with you throughout. We do this on the basis of our obligations to you, our legal obligations and our legitimate interests in providing you with the best service and understanding how we can improve our service based on your experience
- To administer any of our clients’ prize draws or competitions which you enter, based on your consent given at the time of entering
- To develop, test and improve the systems, services and products we provide. We’ll do this on the basis of our legitimate business interests
- To protect our business, our clients’ businesses and research participants from fraud and other illegal activities. We’ll do all of this as part of our legitimate business interest
- To protect our premises, assets and staff from crime, we operate CCTV systems at our premises which record images for security. We do this on the basis of our legitimate business interests.
- If we discover any criminal activity or alleged criminal activity through our use of CCTV, fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts. We aim to protect the individuals we interact with from criminal activities.
- Only with your consent, we will use your personal data, preferences and details to allow our clients to keep you informed by email, web, text and telephone about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on. We will only ever do this with your prior consent. Of course, you are free to opt out of hearing from clients by any of these channels at any time.
- To send clients and potential clients relevant, personalised communications in relation to offers, new services and products. We’ll do this on the basis of our legitimate business interest. You are free to opt out of hearing from us by email or post at any time using the contact details provided below.
- To comply with our contractual or legal obligations to share data with law enforcement. For example, when a court order is submitted to share data with law enforcement agencies or a court of law.
- Sometimes, we’ll need to share details of our clients with a third party who is providing a service (such as delivery couriers or specialist consultants). Without sharing your personal data, we’d be unable to fulfil this service to you and/or our clients.
- To build a picture of who you are and what you like, and to inform our business decisions, we’ll sometimes be requested to combine data captured from across our clients organisation, third parties and data from publicly-available lists We’ll do this on the basis of our or our clients’ legitimate business interest.
- To process your booking/appointment requests (such as a meeting with a consultant).
6. How we protect your personal dataWe know how much data security matters to our clients their employees and customers. With this in mind we treat data with the utmost care and take all appropriate steps to protect it.
The specialist survey software we use for our market research - SNAP Surveys Ltd is independently audited and certified by Bureau Veritas as being compliant with ISO 27001. The software also has ISO 9001:2015 quality certification (the International Kitemark for Quality Control, Management and Customer focus) ISO 20252:2012 market research processes certification (international standard for the Market Research Industry). You can read more about SNAP’s security and data protection here.
We secure access to our online surveys using ‘https’ technology. Hyper Text Transfer Protocol Secure (https) is the secure version of http, the protocol over which data is sent between your web browser and the website that you are connected to. The 'S' at the end of https stands for 'Secure'. It means all communications between your browser and the website are encrypted.
All our survey data is secured on password protected GDPR compliant servers (hosted at Rackspace and UKFast, and both are ISO 27001 certified) and all our devices that access your data are password protected.
Access to your personal data is password-protected, and sensitive data is secured by SSL encryption.
We monitor our system for possible vulnerabilities and attacks
7. How long will we keep your personal data?Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected by us or provided to us.
At the end of that retention period, your personal identifiable data will either be deleted completely pseudonymise (i.e. remove personal identifiers and hold separately to ensure they cannot be attributed) or will be anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
Some examples of customer data retention periods:
Competition entries: When you enter a competition as part of one of our surveys we will
keep the personal data you give us for as long as the competition is open for plus one month. This can be up to 18 months.
Customer surveys: For some client surveys we may include your customer number and customer type/membership information, gender and/or age to allow us to compare different types of customers. We remove personal information and anonymise datasets as soon as possible.
Employee surveys: For some client employee surveys we may include your employee number, area of employment, length of time employed, gender, age. This information is only used for aggregated analysis and individual details are never provided to your employer.
8. Who do we share your personal data with?Very occasionally we will share your personal data with trusted third parties.
For example, specialist consultants (for example statisticians, data processing companies, or delivery couriers). We will only do so for our own legitimate business interests.
Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:
- We provide only the information they need to perform their specific services.
- They may only use your data for the exact purposes we specify in our contract with them.
- We work closely with them to ensure that your privacy is respected and protected at all times.
9. Information about cookies and how CJM Research uses them
What is a cookie?A cookie is a small file of letters and numbers, which often includes a unique identifier that is sent to your device's browser from a website's computer and is stored on your device's hard drive. Cookies allow a website to recognise a user's device. Websites can send their own cookie to your browser if your browser's preferences allow it. For more information see aboutcookies.org website (www.aboutcookies.org).
Cookies also allow us to provide our service to you - for instance by recognising you when you have accessed certain areas of the survey so you go back to where you last were or by letting us know who has completed a survey so they are not sent reminders.
Our cookies do not store financial information, or information which is capable of directly identifying you (such as your name or email address). Cookies simply allow our website to retrieve this information from our systems in order to personalise and improve your experience.
10. What are your rights over your personal data?
An overview of your different rightsYou have the right to request:
- Access to the personal data we hold about you, free of charge in most cases
- The correction of your personal data when incorrect, out of date or incomplete.
- That we stop using your personal data for sending you survey invitations
- That we stop using your personal data for direct marketing (either through specific channels, or all channels)
- That we stop any consent-based processing of your personal data after you withdraw that consent
To ask for your information please contact The Data Protection Officer, CJM Research, 12 Nasmyth Avenue, Bearsden G61 4SQ or email firstname.lastname@example.org .
To ask for your information to be amended please contact us at the above addresses. If we choose not to action your request we will explain to you the reasons for our refusal.
Your right to withdraw consentWhenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.
Where we rely on our legitimate interestIn cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Direct marketingYou have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.
Checking your identityTo protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
11. The right to access data, data, rectification & erasureIn line with the right to be informed, participants have the right to access their own data. To ensure that this is the case, if a participant asks us what information we hold on them personally, we will share this with them in full. However, this will only ever be information they have provided us with initially, or information about the research groups they have taken part in. Participants also have the right to rectify any data we hold on them at any time.
In the even that a participant wishes to access the information that we currently hold on them, we will:
- Verify who they are over email (ask them to send a driving license, passport etc. scan) – We don’t want to share the wrong information.
- Share the data we hold on them (sharing can take place in an encrypted excel format).
- This information will be shared at latest within one month of a request being made.
As ever, if a participant wishes to have their information erased this will be actioned as soon as reasonably possible (and normally within 1 business day). Participants will be given the option to ‘restrict processing’ (whereby we continue to hold the data but do not contact them unless they expressly state at a future date that they would like to be re-contacted), or have a full secure erase carried out.
Where data is being processed on behalf of a client (e.g. during recruitment, fieldwork and some full-service projects) a point of contact will be established to allow an individual to contact the data controller if they wish to do so.
12. How can you stop the use of your personal data for market research purposesThere are several ways you can stop market research communications such as survey invitations from us:
- Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails for that particular piece of research.
- Write to Callum MacKinnon, owner, CJM Research, 12 Nasmyth Avenue, Bearsden G61 4SQ
- Email Callum MacKinnon at email@example.com .
13. Contacting the RegulatorIf you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.You can contact them by calling 0303 123 1113.
Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites)
14. Any questions?We hope this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it. If you have any questions that haven’t been covered, please contact our Data Protection Officer who will be pleased to help you:
Email us on firstname.lastname@example.org
Or write to us at
Data Protection Officer, CJM Research
12 Nasmyth Avenue
End of document. Produced May 2018