Privacy Notice

This privacy notice informs you how GfK collects and processes your personal data in connection with your visit on our website. Other privacy notices apply to you, for example if you participate in one of our panels or special market research studies. We will inform you about these separately.

GfK consists of the companies listed here, which together form the "GfK Group". "GfK", "we", "us", "our" means the GfK company identified in this privacy notice as the controller for processing your personal data.

Where we refer to personal data below, we mean any information relating to an identified or identifiable living person. Personal data that has been anonymized in such a way that the data subject cannot be identified or can no longer be identified (anonymous data) is no longer considered personal data.

The Service is a web-based data exchange platform that serves to facilitate the execution and delivery of our client projects as it enables the efficient and secure exchange of relevant documents and data. The Service is not directed to individuals under the age of 16 (children). If we become aware that personal data from a child has been inadvertently collected without the consent of such child's parent or guardian, we will use all reasonable efforts to delete such information.

We may need to amend or update this privacy notice from time to time. Therefore, please read this privacy notice at regular intervals.

I. Controller, data protection officer

For the purposes of this privacy notice, the controller is:

Sophie-Germain-Strasse 3-5

90443 Nuremberg

Germany

GfK has appointed data protection officers as shown in the list of GfK companies here.

II. Content

In this privacy notice, we inform you about the following:

which personal data we process in the context of your visit to our website; (III. Personal data categories)?
the purposes and legal basis of the processing; (IV. Purpose and legal basis of the processing)
to whom we transfer your personal data to; (V. Recipients)
whether the provision of your personal data is mandatory and the consequences of not providing it; (VIII. Are you obliged to provide your personal data?)
your rights regarding your personal data (IX. Your data subject rights) and how you can exercise these; (XIII. Questions, exercising your data protection rights, complaints)
the duration of the processing; (X. Duration of the processing)
our security measures; (XI. Security)and
cookies and similar technologies we use. (XII. Cookies and other technologies)

III. Personal data categories

When you visit our website, we process the following personal data:

1. When you access our website

Each time you access our website, your internet browser automatically sends certain information to our website server and temporarily stores it in so-called log files.

We use Internet log data to improve the user experience, performance, and security of our surveys and other solutions, and for quality assurance purposes. The following internet protocol data is automatically transmitted:

IP address of your device;
name of the accessed files and contents;
date and time and duration of your website visit;
volume of personal data transferred;
operating system and internet browser including installed add-ons and other technologies of the your device;
internet address of the website from where you accessed our website (so-called origin or referrer URL);
Name of the service provider that provides access to our website;

In the log files, personal data is stored with the shortened IP address so that no inference to your IP address is possible.

2. When you provide your personal data

We process personal data that you provide to us when you:

fill in contact forms or otherwise communicate with us, whether by email, post or telephone;
create a user account;
register to receive our newsletter/system information;

This concerns the following personal data, if provided by you:

contact and identification data (title, name, office address, name and place, nationality, telephone numbers, other contact details and email address, job information, employer);
user data (e.g. email, password, username or similar identifier, preferred settings, feedback);

IV. Purpose and legal basis of the processing

We process your personal data on the following legal bases:

Consent: You have given your consent to the processing of your personal data for one or more specific purposes (Art. 6 para. 1 lit. a GDPR);
Performance of contract or pre-contractual measures: The processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 para. 1 lit. b GDPR);
Legal obligation: The processing is necessary for the compliance with a legal obligation to which we are subject (Art. 6 para. 1 lit. c GDPR);
Legitimate interest: The processing is necessary for the purposes of our or a third party's legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of your personal data (Art. 6 para. 1 lit. f GDPR).

In the following, we inform you in detail about the processing purposes and the associated legal basis:

Purpose	Legal basis
Provision of our website for the public and for the purpose of contacting customers and interested parties	Performance of a contract or legitimate interest (GfK's interest in providing a functioning website)
Provision of the Service, for example to provide them you information regarding the Service, such as about any changes or scheduled downtimes	Performance of a contract
Investigating malfunctions and ensuring system security, including detecting and tracking unauthorised access attempts and access to our web servers.	Compliance of legal obligations (for data security); legitimate interest (GfK's interest in system security, in particular troubleshooting and elimination of unauthorised access).
Newsletter mailing	Consent
Communicating with you as a client (e.g. on GfK products and services, policies and terms and conditions, feedback and other enquiries).	Performance of a contract or pre-contractual measures, legitimate interest (GfK's interest in processing your feedback and other requests)
Provision and management of your user accounts	Performance of a contract, legitimate interest (GfK's interest in setting up user accounts)
Newsletter mailing	Consent
Assertion of legal claims and defence in legal disputes	Legitimate interest (GfK's interest in asserting, enforcing claims or defending itself in legal disputes)
Purposes of prevention, investigation, reporting of criminal offences, for example, fraud, e.g. credit card misuse, identity deception	Weighing up interests (GfK's interest in criminal investigation and prosecution)

V. Recipients

We may share your personal data with other companies in the GfK Group. Within the GfK Group, only employees and departments with a “need to know" have access to your personal data and only to the extent necessary. Regarding the transfer of your personal data within the GfK Group, the companies of the GfK Group are either independent controllers, joint controllers or processors, depending on the processing activity.

We may transfer your personal data to recipients, who are usually processors, outside the GfK Group. These third parties generally belong to the following categories of recipients:

service providers for the operation of our website and the processing of personal data stored or transmitted by the systems (e.g. hosting or service providers for data centre services, payment processing or IT security);
consultants and service providers as independent controllers or joint controllers (e.g. insurance companies or accounting service providers);
persons who are subject to professional secrecy or are obliged to maintain confidentiality, for example lawyers, tax consultants and auditors;
government agencies/authorities, insofar as this is necessary to comply with legal obligations;
persons involved in carrying out our business operations (e.g. auditors, banks, insurance companies, legal advisors, regulatory authorities, parties involved in company acquisitions or the establishment of joint ventures);
recipients in the course of any reorganisations, mergers, disposals or other transfers of assets. We will then ensure that the recipient of your personal data agrees to handle it in a manner that complies with applicable data protection law and is compatible with the original purposes of the processing. We continue to ensure the confidentiality of your personal data and inform you about the transfer to another controller.

Where we use third party service providers (including processors), these third parties are subject to contractual obligations (e.g. a data processing agreement). These processors will only process your personal data in accordance with our prior written instructions and must take measures to protect the confidentiality and security of your personal data.

VI. Transfers of Data outside the EU/EEA

Due to the international nature of our business, it may be necessary for us to transfer your personal data to other companies within the GfK Group and to third parties outside the European Union (EU) and/or the European Economic Area (EEA) (“Third Countries"). For this reason, we may transfer your personal data to Third Countries that have different laws and data protection compliance requirements than the country in which you are located. The third countries concerned, e.g. the USA, may not have the level of data protection that you enjoy under the GDPR. This can mean disadvantages such as an impeded enforcement of data subjects' rights, a lack of control over further processing and access by state authorities. You may only have very limited legal remedies against this.

Within the GfK Group, we have concluded an intra-group data transfer agreement with the relevant transfer mechanisms (standard contractual clauses of the European Commission) to ensure an adequate level of protection for your personal data when it is transferred from the EU/EEA to third countries.

Insofar as we transfer your personal data from the EU/EEA to recipients in third countries that are not covered by an adequacy decision of the EU Commission, we achieve an adequate level of data protection by concluding standard contractual clauses of the European Commission or by means of binding corporate rules of our business partners and supplement these transfer mechanisms with further contractual, technical and organisational measures if necessary. Please contact dpo@gfk.com to obtain a copy of transfer mechanisms.

VII. Publicly available sources, source from which the data originate

We do not obtain personal data from other sources than yourself or as described in this privacy policy.

VIII. Are you obliged to provide your personal data?

In principle, you are not obliged to provide your personal data. However, if you do not provide your personal data, we may only be able to provide you with limited services or not answer your enquiries. If the processing of your personal data is necessary for the fulfilment of a contract between you and us and you do not provide the required information, we may discontinue our contractual services. In this case, we will notify you in advance.

IX. Your data subject rights

You have the following rights in relation to your personal data:

right of access and right to receive a copy of your personal data, Art. 15 GDPR
right of rectification, Art. 16 GDPR
right to erasure (“right to be forgotten"), Art. 17 GDPR
right to restriction of processing, Art. 18 GDPR
right to data portability, Art. 20 GDPR

Right to object, Art. 21 GDPR: You have a general right to object, on grounds relating to your particular situation, if we process your personal data on the basis of our legitimate interest. This means that you must always give reasons for your objection and the reasons for the objection must not result from the processing situation as such but must be justified in your person. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Further, you have the right to object to the processing of your personal data for direct marketing purposes at any time.

Withdrawal of consent: You can withdraw consent at any time with effect for the future by contacting us at dpo@gfk.com or using the contact information in section 1.

Right to lodge a complaint: In the event of a (suspected) breach of applicable data protection laws, you may lodge a complaint with the supervisory authority.

We do not make decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you (Art. 22 GDPR).

Processing Time: We will comply with your request within 30 days. This period may be extended by a further two months if necessary, considering the complexity and number of requests. GfK will inform you of any such extension, together with the reasons for the delay, within one month of receipt of the request. This does not apply to right to withdraw consent, which we implement without delay within our statutory obligation.

X. Duration of the processing

We will only process your personal data for as long as is necessary to achieve the above purposes. Third parties engaged by us will store your personal data on their systems for as long as is necessary in connection with the provision of services to us in accordance with the relevant contract. We will delete or anonymise your personal data as soon as it is no longer required for the purposes described in this privacy notice and if we have no legal basis to further store your personal data.

In addition, the retention period may be extended if we are subject to statutory retention and documentation obligations (for Germany these are up to ten years). The retention period may also be based on the statutory limitation periods (for Germany this is up to thirty years, with the regular limitation period being three years). In certain circumstances, we may also need to store your personal data for longer, e.g. in connection with authority or legal proceedings.

With regard to the use and retention period of cookies, please note section XII.

XI. Security

We protect your personal data from loss, misuse, disclosure, alteration, unavailability, unauthorised access and destruction and maintain the confidentiality of your personal data. This is also ensured using appropriate technical and organisational measures. We choose our security measures taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and continuously improve them. Technical measures include, for example, the use of encryption (e.g. TSL encryption for personal data in transit), access control to our systems, monitoring of critical IT system resources and system messages, ensuring the availability and resilience of systems and services.

Organizational measures include, for example, defining roles and responsibilities, ensuring the correct and secure operation of information processing systems, regular training and awareness-raising of employees, as well as evaluating and assessing the effectiveness of the aforementioned measures. Access to your personal data is only granted to employees, service providers or GfK Group companies who require such access for the fulfilment of a business purpose or for the performance of their duties.

XII. Cookies and other technologies

Our website contains cookies and other technologies (e.g. pixels, scripts) (together “Cookies"). Cookies are used to make our website user-friendly, effective and secure. Cookies are, for example, small text files that are stored on your terminal device and contain personal data such as personal settings and login information.

We only use „Necessary Cookies“ on the website. These Cookies are necessary for the functioning and management of the website and cannot be disabled in our systems. They are usually set based on your input, such as when you set your Cookie preferences, log in, or fill out forms. You can set your browser to block these Cookies, but then some parts of the website will not work.

We only use first party Cookies that come from our platform and send information only to us. We use session Cookies, which are only stored for individual online sessions and are deleted when you close your browser; and persistent Cookies, which are deleted when they reach their expiry date or are deleted by the user.

The placement and subsequent processing of Necessary Cookies is based to provide you with an expressly requested tele media service and on our legitimate interest to provide you with a technically optimized, user-friendly and appropriate website.

We also use first party „Persistent Cookies“, i.e. Cookies that have a loger lifespam, to allow access to documents via Microsoft Windows SharePoint Server (GfK Connect) without the Users having to re-authenticate. That way, you can access documents stored for you in GfK Connect without additional login. In that case, the Cookie contains the login name of the user. This can be the email address or the user account name (depending on by which identifier the user authenticated). In addition, the URL www.gfkconnect.com is stored and a cryptic ID like “293848390580" that is associated with the respective user. These types of Cookies are strictly necessary for the functioning of the Service requested by the User.

Etracker technology: Our Website uses etracker technology (www.etracker.de) to collect visitor behavior data. The data are collected anonymously to be used for understanding how GfK connect is being used and optimization. All visitor data are saved using an anonymous user ID to aggregate a usage profile. Cookies may be used for this purpose. By using such Cookies, it is possible to recognize the visitor's browser. The data collected via etracker technology will not be used to determine the personal identity of the website visitor or compiled with personal data pertaining to the user of the pseudonym unless agreed to separately by the person concerned. The collection, processing and use of your personal data may be refused at any time with respect to subsequent services by enabling the following opt-out link: Refuse data collection.

You can withdraw your consent at any time with effect for the future, e.g. by managing your Cookie settings or by sending an e-mail to dpo@gfk.com.

Cookie subgroup

First/ Third party

Lifetime

Type

federation.gfk.com

MSISAuth

MSISAuthenticated

MSISIPSelectionPersistent

MSISLoopDetectionCookie

MSISSignOut

First

Session cookie

Neccesary cookie for federation login

federation.gfk.com

MSISIPSelectionPersistent

First

Persistent cookie

Neccesary cookie for federation login

You can also use our website without Cookies, but you might not be able to use our website to its full extent or to use certain functionalities.

XIII. Questions, exercising your data protection rights, complaints

If you have any questions or complaints about the collection, use or retention of your personal data, or if you wish to exercise any of your rights in relation to your personal data, you can contact our data protection officer by emailing dpo@gfk.com.

We will investigate and attempt to remedy any complaint or dispute regarding the processing of your personal data. You can also lodge a complaint with the competent data protection authority.