Ifop Group commitments regarding protection of personal data through its surveys.
Effective as of 31.03.2021
- Lawfulness of personal data processing as part of Ifop’s market research studies and surveys, and consent:
In accordance with Article 6 of the GDPR, Ifop only collects personal data if it obtains the freely given, specific and informed prior consent of the person contacted to respond to the market research study or survey, after having explained to that person the purpose of data collection in a clear, accurate and concise way.
Ifop will keep evidence of this consent for the period necessary for processing, generally the duration of the study and associated quality control activities.
Ifop undertakes to inform the person responding to the study of the origin of their data if this data comes from a contractor or customer rather than being directly generated by Ifop. The new European Regulation authorizes Ifop to reuse customer data for research purposes, as market research studies are categorized as scientific research.
- Nature of the personal data processed and duration of their storage
Ifop has made a commitment that personal data will not be stored longer than for the purpose for which they were collected or processed, with the application of clear provisions on retention periods.
If you have any questions related to the processing of your personal data, please refer to « Your rights » bellow.
- Minimization and anonymization of personal data
Ifop has made a commitment to reduce the impact of personal data collection by limiting and minimizing collection to the elements required for the purposes of the study, and by ensuring that this data is not used in a way that is incompatible with these purposes.
Ifop has also introduced procedures to guarantee that those participating in its studies do not experience any harm or injury as a direct result of their collaboration in the study, using anonymization techniques and by limiting access to personal data to field teams and study personnel working on the study in question.
Finally, Ifop undertakes to preserve the anonymity of the persons responding to its studies vis-à-vis the end customer by providing it only non-nominal aggregated or raw data, except where agreement and consent are given by the persons responding to the studies if pharmacovigilance obligations require Ifop to communicate their identities to the customer, or as part of transparency declarations (e.g. Sunshine Act in the USA).
- Sharing of personal data
4.1 External service providers:
In addition to the transfer of personal data to its internal teams, subsidiaries and IT teams, Ifop may use a supplier or subcontractor to perform certain services related to its activity and may therefore transfer personal data to it. Ifop selects its suppliers and ensures that they have the ability to comply with the directives and regulations related to the protection of personal data, and will transfer the personal data only if a commitment and agreement has been previously signed between this external service provider and Ifop.
4.2 International transfers
Personal data submitted through our studies resides on our servers located in our data center in Paris, France.
Ifop’s legal entities outside the European Union have entered into intra-company data protection agreements using standard contractual clauses prepared by the European Commission. These agreements require the contracting parties to respect the confidentiality of your Personal Information and to handle European personal data in accordance with applicable European data protection laws. Ifop’s legal entities outside the European Union are the following:
Ifop Eastwego Shanghai – Unit 1601 – 1602 Wangjiao Plaza 175 Yan’an East Roas – Shanghaï 200002 – P.R. China
Ifop Eastwego Hong Kong – 42/F., Central Plaza, 18 Harbour Road, Wanchai, Hong Kong
Ifop Inc. – New York, NY 10016
Ifop does not transfer any personal data outside the European Economic Area (EEA) unless a prior transfer agreement has been established with the entity receiving the personal data, and unless it has received guarantees that this entity has implemented measures offering the same level of security as that required by European regulations.
In any case, Ifop only transfers personal data outside the EEA after having obtained the consent of the persons responding to the studies.
4.3 Public bodies
Ifop may disclose personal data to public bodies, courts, administrative bodies or the administrative authority responsible for the protection of personal data if the law so requires or if it receives an order requiring it to do so.
- Sensitive data processing
If required by the topic of the studies commissioned by the client, Ifop may process sensitive data. Ifop undertakes to process these sensitive data in accordance with applicable regulations. In particular, Ifop is committed to treating on a case-by-case basis the requests for studies that, because of their type of processing, would expose respondents to Ifop’s studies to high risk.
In close consultation with the client and prior to their implementation, these studies will be the subject of a privacy impact assessment to evaluate the potential risks in terms of protection of personal data.
This analysis will include at least:
- A systematic description of the processing operations envisaged and the purposes of the processing;
- An assessment of the necessity and proportionality of the operations with regard to the purposes;
- An assessment of the risks created by the processing;
- Measures to deal with these risks.
- Personal data concerning children
Ifop will not collect or process personal data about children under the age of 16 – or the legally required age defined by French law or by the applicable law – without the prior permission of the parent(s) or legal guardian(s).
- Your rights:
- Under the applicable law, you have the following rights:
- Access to personal data: We will make available to you the personal data about you in our custody or control that we have collected, used or disclosed, upon your written request, to the extent required and/or permitted by law.
- Rectification of your personal data: If you think that your personal data is inaccurate, you can ask for their rectification.
- Erasure of your personal data: If you believe that Ifop no longer requires to process your personal data, you can ask for their erasure from our databases.
- Restriction of the processing of your personal data: If you believe that the processing of your personal data is either inaccurate or unlawful, you can ask or the restriction of this processing. Ifop will then only store this data and no longer process them in any other way without your consent.
- Opposition to the processing of your personal data: If you previously consented to the processing of your personal data by Ifop, you have the right to object this processing of your data on grounds relating to your particular situation and at any time.
- Deciding of the processing of your personal data after your death: At any times, you or a person you designated can inform Ifop of your decision about the processing of your personal data after your death, whether this is the erasure, the conservation or the communication of these data.
To exercise any of these rights related to the personal information that we may hold about you, we require that you submit your request in writing to firstname.lastname@example.org. When we receive an access request from an individual, we will attempt to fulfil the requested information within 30 days.
In certain situations, however, we may not be able to give individuals access to all or some of their personal data. If we deny an individual’s request for access to their personal data, we will advise the individual of the reason for the refusal.
- 8. Dedicated team, training and internal tools
8.1 Internal tools
In accordance with regulatory requirements, Ifop maintains specific internal documentation:
Documentation relating to the processing of personal data: the processing register, impact assessments carried out, the management of non-EEA transfers or contractual clauses;
Documentation relating to information to persons: information statements given to the person whose data were collected, the form for the collection of the consent of the persons, the procedure put in place for the exercise of the rights of persons (right of access, modification etc.);
Contracts defining the roles and responsibilities of each actor: contracts with subcontractors.
Ifop has launched a training and awareness programme for all its teams on the new European regulation on the protection of personal data.
8.3 Dedicated team
Ifop has set up an internal team dedicated to the protection of personal data, headed by the Data Protection Officer and the Head of IT.
The security of your personal data is very important to us. We have put in place reasonable physical, electronic, and administrative procedures to safeguard the information Ifop collects. Access to your personal data is granted only to those employees who require it in order to perform their duties.
Ifop has implemented security protocols to control risks, as described in an Ifop technical protocol, notably through the use of an encrypted, secure messaging service for sending and receiving personal data files. This protocol complies with internationally recognized standards and is regularly examined and updated if necessary.
10. Changes to this policy