Gemic

PRIVACY POLICY OF GEMIC’S RESEARCH PARTICIPANT REGISTER

1 CONTROLLER

GEMIC Oy (2177819-6, “we” and ”us”)

Lönnrotinkatu 5, 00120 Helsinki, Finland

Tel: +49 1787123181, e-mail: contact@gemic.com

2  CONTROLLER’S CONTACT PERSON

Constance Mueller-Trimbusch
Mikonkatu 17, 00100 Helsinki
Tel: +49 1787123181   e-mail: constance.mueller-trimbusch@gemic.com

3 NAME OF REGISTER

Research participant register.

4 WHAT PERSONAL DATA WE COLLECT

Personal data is in most cases collected directly from you or generated through your participation in our research.

  • Name
  • Contact information: phone number, post address and email address
  • Age
  • Area of residence
  • Life stage
  • Profession and/or job title
  • Education
  • Income bracket
  • Ideals and aspirations
  • Hobbies and interests

Mikonkatu 17, 00100 Helsinki, Finland contact@gemic.com

  • Consumer behaviour
  • Health condition and health-related opinions and practices
  • Photographs, video image

We collect information you provide directly to us and information we can observe. We may also collect data that can be found from public sources. Lastly, we may collect sensitive personal data via photographs and video such as ethnicity, health, etc., if you have given explicit consent to the processing of photograph and video.

5 HOW WE MAY USE YOUR PERSONAL DATA AND THE LAWFUL BASIS FOR DOING SO

We use your personal data in the context of consumer research. Research is conducted in order to help our clients with product and service development.

Product, service and client analysis (data subject consent)

The main purpose of our processing of personal data is product, service and client analyses. The data allows us to optimize and develop our client’s services and products, which is the foundation of our client consultation projects.

Reassessing    data    validity,   secondary   analysis    and    storing    consent documents (legitimate interest)

After conducting our product, service and client analysis, we store personal data in order to reassess the validity of our data. We give our clients recommendations based on our research data, so evaluating these recommendations requires access to existing research data. Occasionally, personal data may also be used to assess the validity of another project’s data and recommendations (secondary analysis).

We also store the data that demonstrates that you have given your consent for taking part in our research. We store this data to defend against possible claims.

6  WHO WE MAY DISCLOSE YOUR PERSONAL DATA TO AND DO WE TRANSFER DATA TO THIRD COUNTRIES

We store and share your personal data with others such as third party IT service providers. We have entered into agreements with selected service providers, which include processing of personal data on behalf of us.

We use research presentations to present research findings to our clients. In our research presentations, we may disclose to our clients photographs that were taken during the research. Sometimes the caption of a photograph may include a quotation from you related to the matter. By default, all other personal data that is disclosed to the client is anonymized by virtue of us aggregating the research data. However, in

rare cases, when we are obliged to highlight concrete consumer examples to our client, we may disclose your basic personal data (e.g. age, occupation and area of residence). To clarify, opinions related to sensitive matters will always be either pseudonymized or anonymized.

We may also transfer personal data to organisations in countries outside of the European Economic Area. These countries consist of the United States of America (USA), Chile, Singapore and Taiwan. These transfers are protected by virtue of the following:

  • the EU Commission has decided that the data processor has an adequate level of protection; and
    • other appropriate safeguards have been taken, for example the use of the standard, written contractual clauses (EU model-clauses) approved by the EU Commission.

7  HOW LONG WE PROCESS YOUR PERSONAL DATA

We will keep your data for as long as they are needed for the purposes for which your data was collected and processed.

This means that we keep your data for as long as necessary for the purpose of consumer research. After the research ends, we hold it appropriate to store the details of the consumer research up to two (2) years for product, service and client analyses and to defend against possible claims. Given that the research data is relevant, we may use your data for other client projects as well. Your personal data will always be treated confidentially and at any given moment throughout the lifecycle of your data, you have the right to exercise your rights as mentioned in section 9. To clarify, in some cases, such as if your personal data is in a group video, we might not be able to erase the personal data without deleting multiple personal data. In these types of situations, we might not be able to comply with erasure requests, but we will nevertheless delete all your other data where the deletion of multiple personal data does not apply.

8  HOW WE PROTECT YOUR PERSONAL DATA

All authorized users, Gemic employees and possible third party service providers are required to treat personal data as confidential. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction. The personal data is stored in electronic systems that can only be accessed by authorized users. Authorized users are those Gemic employees who have a legitimate reason for processing personal data. Authorized users must enter their individual, unique login credentials and passwords to access the systems. The personal data is stored in databases that are protected by firewalls, passwords and

other methods. The databases and their backup copies are located in restricted areas where only authorized personnel can enter.

9 YOUR PRIVACY RIGHTS

You as a data subject have rights in respect of personal data we hold on you. You have the following rights;

  • request access to your personal data. You have a right to access the personal data we are keeping about you.
  • request correction of incorrect or incomplete data. If the data are incorrect or incomplete, you are entitled to have the data rectified, with the restrictions that follow from legislation.
  • request erasure. You have the right request erasure of your data in case:
    • you withdraw your consent to the processing and there is no other legitimate reason for processing,
  • you object to the processing and there is no justified reason for continuing the processing; or
    • processing is unlawful.
  • limitation of processing of personal data. If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data to only storage. The processing will only be restricted to storage, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
  • If you are not entitled to erasure of the data which we have registered about you, you may instead request that we restrict the processing of these data to only storage. If the processing of the data which we have registered about you is solely necessary to assert a legal claim, you may also demand that other processing of these data be restricted to storage. We may process your data for other purposes if this is necessary to assert a legal claim or if you have granted your consent to this.
  • object to processing based on our legitimate interest.
  • data portability. You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis consent or of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.

Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

10  HOW CHANGES TO THIS PRIVACY POLICY SHALL BE MADE

We may change this privacy policy from time to time. We will not diminish your rights under this privacy policy or under applicable data protection laws in the jurisdictions we operate. If the changes are significant, we will provide a more prominent notice, when we are required to do so by applicable law. Please review this Privacy Policy from time to time to stay updated on any changes.

11 CONTACTING US AND THE DATA PROTECTION AUTHORITY

If you have any questions and concerns regarding our privacy policy you can contact controller’s contact person. If you wish to exercise your rights as a data subject, you can send the request to personal-data@gemic.com.

You can also lodge a complaint or contact the Data Protection Ombudsman.