Data Privacy Framework Privacy Policy
Basis Research LA LLC and Basis Chicago Limited (aka Basis Consumer US or ‘Basis’) are committed to adhering to the Data Privacy Framework Principles to the extent necessary to meet national security, public interest, and legal requirements. These Principles will apply to all personal data transferred and do not apply to any data from which individuals cannot be identified or where pseudonyms are used.
Basis complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Basis has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Basis has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification page, please visit https://www.dataprivacyframework.gov/ or https://www.dataprivacyframework.gov/list
US law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Data Privacy Framework organizations, except where Basis has committed to co-operate with EU data protection authorities (“DPAs”).
DEFINITIONS
“Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the Directive, received by an organization in the United States from the European Union, and recorded in any form.
“Sensitive information / data” is personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.
“Processing” of personal data means any operation or set of operations that is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Processor” is the company or person who performs the processing.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
COLLECTION AND USE OF DATA
Basis collects personal information to enable us to contact respondents to take part in market research projects; these can be for online surveys and / or face-to-face interviews and focus groups. We collect only the minimum amount of personal information that we need to enable us to fulfil the project parameters.
You may need to provide us with personal information such as your:
· Name
· Phone number(s)
· Physical address and / or regional location
· Email address
· Age and life stage
· Gender
· IP address
· Socio-economic information (such as affluence level, employment, etc)
· Ethnicity (where strictly necessary for the research)
Basis only retains such information for as long as reasonably required for business purposes or as reasonably required to comply with our legal obligations.
PRINCIPLES
1. Notice – Basis must inform individual about its participation in and commitment to the principles of the Data Privacy Framework, the data collected and who has access to it (including third parties and the purpose for this), the purpose for collection, their individual rights and how to contact Basis to exercise any of these, the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, being subject to the investigatory and enforcement powers of the FTC, the requirement to disclose personal information in response to lawful requests by public authorities.
Basis provides privacy or fair processing notices to all individuals prior to them participating in any fieldwork, this informs them of why we require their data, who has access to it, where it is being held, for how long, their rights under the Data Privacy Framework (and GDPR if relevant), and who to contact to exercise any of said rights.
All notices are written in clear and easy to understand language to ensure that there is no confusion and all participants are fully cognisant of their rights and give informed consent.
2. Choice – offer individuals, by a clear, conspicuous, and readily available means, the opportunity to choose (opt out) of whether their personal information is to be disclosed to a third party or used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Express consent (opt in) from individuals must be obtained if any sensitive information is to be disclosed or used for a purpose other than that which it was originally collected or subsequently authorized by the individual.
Basis provides market research and brand consultancy services to our clients in various business fields. Basis collects Personal Data from individuals to enable them to participate in surveys, focus groups, depth interviews and other research activities. In our capacity as a service provider, we will receive, store, and / or process Personal Data on behalf of our clients; in such cases, we are acting as a data processor. On rare occasions, the information that we collect from individuals in this capacity might be linked back to a client database, but you would be made aware if this is the case and asked to opt in before you take part.
We may need to disclose your information to our third-party suppliers as part of this – these include market research recruitment agencies, focus group meeting venues and venue hosts, panel and survey solution suppliers, online survey hosts. We will always inform you at the start who may have access to your information should you choose to participate in the research.
The Personal Data that we collect may vary based on the requirements of the research project and client it is for, but as a general matter, Basis collects the following types of Personal Data: full name, email address, mailing address / region, telephone number(s), title, gender, age and life stage, affluence level, IP address, and occasionally ethnicity.
We also may collect Personal Data from persons who contact us through our website to request additional information; in such a situation, we would collect contact information (as discussed above) and any other information that the person chooses to submit through our website.
Basis does not disclose personal information to third parties for purposes that are different than what it was originally collected for. Should the initial purpose change, we will recontact individuals with the option to opt-out.
3. Accountability for Onward Transfer –only transfer personal data for limited and specified purposes, and comply with Notice and Choice principles. To transfer personal information to a third party, the organization must enter into a contract with the third-party controller providing the data specifying that the recipient will provide the same level of protection as the Principles, and will notify the organization if it makes a determination that it can no longer meet this obligation and will immediately cease processing or takes other reasonable and appropriate steps to remediate.
Basis discloses Personal Data only to Third Parties who reasonably need to know such data and only for the specific purposes it was gathered for. Such recipients must agree to abide by confidentiality obligations and data protection agreements. Basis takes reasonable and appropriate steps to ensure that our third parties effectively processes the personal information transferred in a manner consistent with the Principles and with the required security protection needed. We monitor our third party suppliers throughout our relationship with them to ensure their compliance; all third parties are required to inform Basis of any potential issues that may impact their abilities to comply, in which case they will cease processing immediately. We will inform you who the third parties are at the time of gathering your personal data.
Basis also may occasionally disclose Personal Data to our client when a Data Subject has consented to or requested such disclosure. Please be aware that Basis may be required to disclose an individual's personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Basis’ accountability for personal data that it receives in the United States under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Basis remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Basis proves that it is not responsible for the event giving rise to the damage.
4. Security – when creating, maintaining, using or disseminating personal information, take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Basis has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. Basis ensures that it always keeps updating its security to counteract any new and emerging threats. For example, electronically stored Personal Data is held on a secure network with firewall, encryption, anti-malware and virus protection; access to our system requires users to have unique logins with 2-factor authentication and pre-programmed permission levels that limit the scope of employees who have access to certain data. File structure is set up in such a way that we can limit access to individual folders as required, and revoke access remotely if needed.
5. Data Integrity and Purpose Limitation –personal information must be limited to the information that is relevant for the purposes of processing. Basis may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Basis must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing.
Basis will explain on first contact what information we require, how long we will need this for, where their data is stored, who has access to it and why we require this. We only ask for the minimum personal information required to fulfil the needs of the purpose and only retain this information that personally identifies an individual for as long as it serves the purpose for processing. After which, all data is fully anonymized (e.g. responses to survey questions are usually amalgamated and not attributed to any one individual) and personal data securely deleted. We use reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as necessary.
6. Access – individuals must have access to personal information about them that Basis holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
To exercise your rights to access any data held by Basis, and correct, amend or delete this, please email Basis at GroupOperations@basisresearch.com. Requests received must be in writing providing sufficient clarity to enable us to determine whether we are processing your data and to enable us to locate it, and satisfy us of your identity to prove you are allowed to receive this. Any request will be dealt with in a timely manner, and in any case within one month of receiving it; you will be provided with an acknowledgement of your request once this has been received.
Any data you provide to correct our information must be truthful, complete, and accurate.
7. Recourse, Enforcement and Liability – effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. Minimum mechanisms must include a readily available independent recourse mechanism by which each individual’s complaints and disputes are investigated and resolved at no cost to the individual, follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices, and obligations to remedy problems arising out of failure to comply with the Principles.
In compliance with the Data Privacy Framework Principles, Basis commits to promptly resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Data Privacy Framework. European Union, United Kingdom, and Swiss individuals with Data Privacy Framework inquiries or complaints should first contact Basis by email at GroupOperations@basisresearch.com.
Basis further commits to refer unresolved privacy complaints to an independent dispute resolution mechanism, the BBB National Programs consumer complaints system. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
Basis shall remain liable under the Principles if it or its agents process such personal information in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage. Procedures are in place for verifying that privacy practices have been implemented and any problems arising out of failure to comply will be dealt with swiftly and decisively.
Basis is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.
RENEWAL
Basis will renew its EU-US, including the UK extension, and Swiss-US Data Privacy Framework certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism. As part of this Basis will review and update its information security and Data Privacy Framework policies annually to ensure that we remain compliant and up-to-date with the Principles.