Last revised: Sep 11, 2019


1          About GfK

GfK (“we”, “us”, our”) respects the privacy of users (“you”, “your”, “User”) of its online services and applications. As a data controller located in the European Union, we process personal data in compliance with applicable data protection law, in particular the General Data Protection Regulation (“GDPR”).

This document (the "Privacy Policy") explains how we collect, use, disclose and protect personal data (“Personal Data”) submitted through GfK Connect (the “Service”).

The Service is a web-based data exchange platform that serves to facilitate the execution and delivery of our client projects as it enables the efficient and secure exchange of relevant documents and data.

2          Personal data concerning you that we process when you use the Service

2.1      Personal data you provide through the Service

When you apply for a user account for the Service, GfK collects personal data concerning you, at least your name, office address, office telephone number and office e-mail address. You will also receive a user name and an initial password (together your “login credentials”) from us. We encourage you to change your password immediately upon receipt of your login credentials. Your password will be stored in an encrypted form. If you lose your password, GfK is able to reset it.

2.2      Cookies and similar technologies 

Cookies are small text files placed on your computer or mobile device when you access websites. “First party” cookies are set by websites that you are visiting at the time. “Third party” cookies are set by domains other than those of the websites that you visit. Many cookies expire (are automatically erased) after a certain time-span which may vary between a few hours and several years.

The use of cookies is limited to “First party” cookies. We use only use “Session cookies” and “Persistent cookies” with the Service.

Session cookies remain on your computer or mobile device while you use the Service. They expire when you close your web browser.  Persistent cookies remain on your computer/device for a period of time specified in the cookie, if you have ticked the “This is a private computer” check box on login page of the Service. The Service uses mainly first party session cookies while you are connected to the Service.  First party cookies are cookies originating from the domain pertaining to the website that you are currently viewing in the browser while the cookie is set. In the case of the Service, this means the domain

Session cookies serve to keep a secure session alive until the browser is closed. They are necessary for data security purposes and the protection of the personal data of visitors to websites.

We also use first party persistent cookies to allow access to documents via Microsoft Windows SharePoint Server (GfK Connect) without the Users having to re-authenticate. That way, you can access documents stored for you in GfK Connect without additional login. In that case, the cookie contains the login name of the user. This can be the email address or the user account name (depending on by which identifier the user authenticated). In addition, the URL “” is stored and a cryptic ID like “293848390580” that is associated with the respective user.

These types of cookies are strictly necessary for the functioning of the Service requested by the User.

ETracker technology: Our Website uses etracker technology ( to collect visitor behavior data. The data are collected anonymously to be used for understanding how GfK connect is being used and optimization. All visitor data are saved using an anonymous user ID to aggregate a usage profile. Cookies may be used for this purpose. By using such cookies, it is possible to recognize the visitor’s browser. The data collected via etracker technology will not be used to determine the personal identity of the website visitor or compiled with personal data pertaining to the user of the pseudonym unless agreed to separately by the person concerned. The collection, processing and use of your personal data may be refused at any time with respect to subsequent services by enabling the following opt-out link: Refuse data collection.

2.3      Can website users block cookies?

Yes, you can adjust the privacy settings in your browser to block all cookies; however, this could severely affect your browsing experience as many websites may not function properly. Your browser may allow you to delete all cookies upon closing your browser. This option, though, results in persistent cookies getting deleted that may store your preferences and personalized settings on websites that you visit regularly. It is possible to keep desired cookies, though, as your browser may allow you to specify which websites are always or never allowed to use cookies. 

2.4      Log files

As is true of most websites, we gather certain information automatically and store it in log files. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system and date/time stamp.

We use this information to administer the site and may link this automatically-collected data to personal information for legitimate purposes, such as to detect and prevent fraudulent activity.

3          How we use personal data in the context of the Service

We will only use personal data concerning you as set forth in this privacy policy, unless you have specifically consented to or opted-in to another use of your personal data.

If you are a GfK employee, we process your personal data in the context of the Service for purposes of the legitimate interest pursued by GfK, thus, in order to enable efficient project execution and delivery through secure and easy exchange of relevant documents and data with our clients.

If you are a client of GfK, we process your personal data in the context of the Service as requested by you for the performance of the underlying contract or service agreement to which you are party, pertaining to the project/s for which you wish to exchange documents and data with GfK.

We process the Users’ personal data for the following purposes:

·         to enable their use of the Service which requires registration and authentication,

·         to respond to their requests,

·         to provide them with information regarding the Service, such as about any changes or scheduled downtimes


We also allow Users to notify other Users by email when documents are shared with them.

GfK is synchronizing user lists with your company at regular intervals to avoid the misuse of licenses.

4          How we share personal data

We will disclose your personal data only for the purposes and to those third parties, as described below. GfK will take appropriate steps to ensure that your personal data are processed, secured, and transferred according to applicable law.

4.1      Within GfK Group

GfK is part of a global organization (the “GfK Group”), consisting of several companies in and outside the European Union, all primarily owned by GfK SE in Germany. Your personal data may be transferred to one or more GfK Group affiliated companies as needed for data processing and storage, providing you with access to our services, providing customer support, making decisions about service improvements, content development and for other purposes as described in Section 3 of this Privacy Policy. We do not disclose personal data of participants in market research projects to third parties outside the GfK Group unless the participants have declared their prior explicit consent for the specific purpose.

4.2        External service providers

Where necessary, we will commission other companies and individuals to perform certain tasks contributing to our services on our behalf within the framework of data processing agreements. We may, for example, provide personal data to agents, contractors or partners for hosting our databases and applications, for data processing services, or to send you information that you requested, or to call-centers for the purpose of provision of support services or interviewing in the course of market research projects. We will only share with or make accessible such data to external service providers to the extent required for the respective purpose. This data may not be used by them for any other purposes, in particular not for their own or third party purposes. GfK’s external service providers are contractually bound to respect the confidentiality of your personal data.

4.3       Business transfers

In connection with any reorganization, restructuring, merger or sale, or other transfer of assets (collectively "Business Transfer"), we will transfer data, including personal data, in a reasonable scale and as necessary for the Business Transfer, and provided that the receiving party agrees to respect your personal data in a manner that is consistent with applicable data protection laws. We will continue to ensure the confidentiality of any personal data and give affected users notice before personal data become subject to a different privacy policy.

4.4       Public bodies

We will only disclose your personal data to public bodies where this is required by law. GfK will for example respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence.

5          International transfers of personal data

Under specific circumstances, it will also be necessary for GfK to transfer your personal data to countries outside the European Union/ European Economic Area (EEA), so called "third countries". Such third country transfers may refer to all processing activities describes under Sec. 3 of this Privacy Policy. This Privacy Policy shall apply even if we transfer personal data to third countries, in which a different level of data protection applies than in your country of residence. In particular, an international data transfer may apply in the following scenarios:

5.1      Legal entities of GfK Group

GfK Group’s legal entities outside the European Union have entered into intra-company data protection agreements using standard contractual clauses adopted by the European Commission to safeguard your privacy and legitimize international data transfers.

5.2      Other third parties outside the EU / EEA

Any transfers of personal data to third parties outside the GfK Group will be carried out with your prior knowledge and, where applicable, with your consent. Any transfers of personal data into countries other than those for whom an adequacy decision regarding the level of data protection was made by the European Commission, as listed on, occur on the basis of contractual agreements using standard contractual clauses adopted by the European Commission or other appropriate safeguards in accordance with the applicable law. 

6          Personal data of children

The Service is not directed to individuals under the age of 16 (children)..  If we become aware that personal data from a child has been inadvertently collected without the consent of such child's parent or guardian, we will use all reasonable efforts to delete such information.

7          Third Party Websites  

As a convenience to our visitors, this website may contain links to websites that we believe offer useful information.  The policies and procedures we describe here do not apply to those websites. We suggest contacting those websites directly for information on their privacy policies. 

In particular, GfK is not responsible for data protection practices of third party websites to which Users may place hyperlinks as part of user content that they upload to the Service.

8          Your legal rights

As a data subject you have specific legal rights relating to the personal data we collect from you. This applies to all processing activities stipulated under Section. 3 of this Privacy Policy. GfK will respect your individual rights and will deal with your concerns adequately.

The following list contains information on your legal rights which arise from applicable data protection laws:

·        Right to withdraw consent: Where the processing of personal data is based on your consent you may withdraw this consent at any moment by following the procedures described in the respective consent form. We ensure that consent can be withdrawn by the same means as it was given – e.g., electronically. As a participant in a market research project please note that by withdrawing consent you typically end your participation in the respective project and will no longer be eligible for any rewards or incentives that GfK may eventually offer to participants.

·       Right to rectification: You may obtain from us rectification of personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us. In appropriate cases, we provide self-service internet portals where users have the possibility to review and rectify their personal data.

·       Right to restriction of processing: You may obtain from us restriction of processing of your personal data, if

·           you contest the accuracy of your personal data for the period we need to verify the accuracy,

·           the processing is unlawful and you request the restriction of processing rather than erasure of your personal data,

·           we do no longer need your personal data but you require them for the establishment, exercise or defense of legal claims, or

·           you object to the processing while we verify whether our legitimate grounds override yours.

·       Right to access: You may ask us from us information regarding personal data that we hold about you, including information as to which categories of personal data we have in our possession or control, what they are being used for, where we collected them, if not from you directly, and to whom they have been disclosed, if applicable. You may obtain from us one copy, free of charge, of personal data we hold about you.  We reserve the right to charge a reasonable fee for each further copy you may request.

·       Right to portability: At your request, we will transfer your personal data to another controller, where technical feasible, provided that the processing is based on your consent or necessary for the performance of a contract. Rather than receiving a copy of your personal data you may request that we transfer the data to another controller, specified by you, directly.

·       Right to erasure: You may obtain from us erasure of your personal data, where

·           he personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

·           you have a right to object further processing of your personal data (see below) and execute this right object to the processing;

·           the processing is based on your consent, you withdraw your consent and there is no other legal ground for the processing;

·           the personal data have been unlawfully processed;

·           unless the processing is necessary

·           for compliance with a legal obligation which requires processing from us;

·           in particular for statutory data retention requirements;

·           for the establishment, exercise or defence of legal claims.

·       Right to object: You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing or for the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you wish the erasure of your personal data or the restriction of its processing by us.

·       Right to lodge a complaint: In case of an alleged infringement of applicable privacy laws, you may lodge a complaint with the data protection supervisory authority in the country you live in or where the alleged infringement occurred.


Please note:

·         Time period: We will try to fulfill your request within 30 days. However, the period may be extended due to specific reasons relating to the specific legal right or the complexity of your request.

·         Restriction of access: In certain situations we may not be able to give you access to all or some of your personal data due to statutory provisions. If we deny your request for access, we will advise you of the reason for the refusal.

·         Exercise your legal rights: In order to exercise your legal rights, please contact the GfK Connect client service by email: You may also turn directly to our Data Protection Officer. For contact information please refer to the end of this Privacy Policy.


9          Retention of your personal data

In general, we will delete the personal data we collected from you if they are no longer necessary to achieve the purposes for which they were originally collected. However, we may be required to store your personal data for a longer period due to statutory provisions. We delete log files, including IP addresses, on a weekly basis. We store personal data of users in their user accounts for the duration of the employment relationship, or the business relationship, respectively, but delete them on request if access to the Service is no longer needed.

In addition, we will not delete all of your personal data if you requested from us to refrain from re-contacting you in the future. For this purpose, GfK keeps records which contain information on people who do not want to be re-contacted in the future (e.g. by means of bulk emailing or recruiting campaigns for market research projects). We qualify your request as consent to store your personal data for the purpose of such record keeping unless you instruct us otherwise.

10      Security

GfK takes data security seriously. We apply an appropriate level of security and have therefore implemented reasonable physical, electronic, and administrative procedures to safeguard the data we collect from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements. Access to your personal data is granted only to those personnel, service providers or GfK affiliates with a business need-to-know or who require it in order to perform their duties.

The security of your Personal Data is very important to us.  We have put in place reasonable physical, electronic, and administrative procedures to safeguard the information we collect.  Access to your Personal Data is granted only to those employees who require it in order to perform their duties.  We cannot guarantee, however, that all communications between us or information stored on our servers will be free from unauthorized access by third parties such as hackers.  Your use of our services demonstrates your assumption of this risk. 

11      Changes to this privacy policy 

We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this Privacy Policy at any time.  For this reason, we encourage you to refer to this Privacy Policy on an ongoing basis.  This Privacy Policy is current as of the "Last Revised" date which appears at the top of this page.  We will treat Personal Data in a manner consistent with the Privacy Policy under which it was collected, unless we have your consent to treat it differently.  By using this website following any Privacy Policy change, you freely and specifically give us your consent to collect, use, transfer and disclose your Personal Data in the manner specified in such then-current Privacy Policy.

12      Contact information

Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to the GfK Connect client service (
You may also contact the Data Protection Officer directly by writing an email to or a letter to the postal address below.

Legal information:
Sophie-Germain-Strasse 3-5
90443 Nuremberg

Peter Feld (CEO)
Lars Nordmark (CFO)

T +49 911 395-0 (Switchboard),

Chairman of the Supervisory Board: Ralf Klein-Bölting

Registered office: Nuremberg
Entered in the Commercial Register at the District Court:
Nuremberg: HRB 25014