Introduction

Panelbase is a division of Dipsticks Research Limited (“DRL”), a company registered in England and Wales, company registration number 03752827. DRL is a registered Data Controller with the Information Commissioner’s Office, registration number Z8203709. DRL is a member of the Market Research Society ("MRS") Company Partner Scheme and undertakes all research in accordance with the MRS Code Of Conduct and the European Society for Opinion and Market Research (“ESOMAR”) Code Of Conduct. We understand the importance of information security and data privacy and adhere to both the Data Protection Act (“DPA”) and the European Union’s General Data Protection Regulation (“GDPR”).

This Privacy Statement describes the processes that Panelbase engages in with regard the capture, storage, processing, retention of personal data via; our websites, engaging in our internally-hosted surveys, accessing externally hosted partner surveys, or when interacting with us via other means e.g. email.

GDPR, privacy regulations and the MRS code

The GDPR, which is effective from 25^th May 2018, governs how we capture, process, store and secure personal data. In addition to this regulation, we abide by prevailing privacy legislation, the MRS Code Of Conduct and the ESOMAR Code Of Conduct.

Information we gather on the website

We capture data via our website in two types of scenario.

Scenario 1 - pertains to visitors who simply visit the website but do not login to the member’s area. Their visit to the website will be recorded by Google Analytics, capturing the IP address they visited from, the browser type they are using, their geographic location as well as the pages visited. This information is used by us to understand the visitor journey on our website and also the technology used by those accessing the website. This information is stored by Google Analytics’ systems and accessed by us via their web-based reporting platform. In addition to logging this information, a cookie may be dropped onto the system of the website visitor in order to track the pages they visit on our website.

Scenario 2 - relates to those who have registered with Panelbase and hold a Panelbase member account. In addition to the data above relating to visiting the website, we will also capture various pieces of data that pertain to each Panelbase member. All of this data is necessary for us to provide Panelbase members with, as well as to maintain and further develop, the service they sign up for, which is the delivery of market research opportunities.

Scenario 3 - is where one of our partners or clients supplies respondents to a survey that we are conducting. In some cases that survey will be hosted on our systems but in other cases the survey may be hosted externally to our systems. Where the survey is hosted on our systems, we will log the entry and exit to the survey as well as all of the answers to the survey questions. Where the survey is hosted externally to our systems, we will only log the entry and exit to the survey as all responses to the survey questions will be captured by the external survey hosting entity.

The table below summarises the types of data we capture, along with additional information regarding the reason for capture, how the data is processed, the duration of storage and the security of the data.

Registration Data

e.g. name, address, date of birth, username, email address, telephone number etc.

Purpose

This data is required in order to create a new Panelbase account. It is also used to help identify an individual and to send suitable survey invitations and for identity validation when dealing with account enquiries. This data is mandatory in order to be a member of Panelbase. Under GDPR the legal basis for processing of this data is ‘contract’.

Processing

This data is processed at the point that a new member registers with Panelbase, including sending the registration email and validation link, undergoing proprietary checks to validate the authenticity of the new account. Thereafter, the contact details are used to deliver suitable survey opportunities to the registered member.

Retention

This data is retained for the duration that a member has an active account with Panelbase. In order to support fraud prevention processes, we will also retain some of this data following the deactivation or unsubscribing of an active member account. This allows us to cross-reference historic data with any data provided to us in relation to new Panelbase accounts. We are also required to retain this data alongside financial transaction data for a period of 7 years in order to meet our legal obligations in relation to financial auditing. Whilst GDPR provides individuals with the ‘right to be forgotten’, and for certain data to be erased at their request, some of this data is exempt from an individual’s right to be forgotten. We will delete this data following a period of 5 years beyond the retention period required to meet our legal obligations for financial auditing purposes.
Registration data pertaining to accounts that are not yet validated, using the validation link that is emailed to the registered email address at the point of registering, will be deleted after a period of 12 months.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to contact Panelbase members to deliver survey opportunities to them, or to exclude them from survey opportunities for which they do not fall into the required target profile, or for the general administration of their account.

Profiling Data

pertaining to registered Panelbase members e.g. which make and model of car they own, which sports they play/watch, which banking provider they have financial products with etc.

Purpose

This data is used to assess the feasibility of new projects when dealing with client enquiries, e.g. to identify how many Panelbase members own a BMW car and, upon commission of such a project, to send survey invitations to those members. Under GDPR the legal basis for processing of this data is ‘legitimate business interest’.

Processing

This data is processed at the point of undertaking feasibility assessments for new projects in order to establish if Panelbase can deliver the required number of respondents fitting the profile specification supplied by our clients. The data is also used to select suitable respondents (or to exclude them, where the data suggests they do not fall into the required target profile) for invitation to a survey opportunity.

Retention

This data is retained for the duration that a member has an account with Panelbase. Once a Panelbase member unsubscribes or has their account deactivated, this profile data is deleted. This data can be changed or by the Panelbase member at any time within their Panelbase account. Similarly, consent to process this data can be withdrawn at any time, however in doing so, the Panelbase member would limit our ability to send surveys that are tailored to their personal profile.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to contact Panelbase members to deliver survey opportunities to them, or to exclude them from survey opportunities for which they do not fall into the required target profile.

Sensitive personal data

is classed as any data pertaining to; race, ethnic origin, political beliefs/affiliation, sexual orientation or medical conditions.

Purpose

Sometimes we need to target surveys based on an individual’s sensitive personal data e.g. those with a certain medical condition or those of a particular ethnic background. This data is used by us in the same way as profiling data, however it is distinguishable under GDPR as ‘sensitive personal data’ and so we treat it separately. Under GDPR the legal basis for processing of this data is ‘consent’.

Processing

This data is processed at the point of undertaking feasibility assessments for new projects in order to establish if Panelbase can deliver the required number of respondents fitting the profile specification supplied by our clients. The data is also used to select suitable respondents (or to exclude them, where the data suggests they do not fall into the required target profile) for invitation to a survey opportunity.

Retention

This data is retained for the duration that a member has an account with Panelbase. Once a Panelbase member unsubscribes or has their account deactivated, this sensitive personal data is deleted.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to contact Panelbase members to deliver survey opportunities to them, or to exclude them from survey opportunities for which they do not fall into the required target profile.

Survey Data

gathered at the point a Panelbase member (or partner/client-supplied respondent) responds to a survey invitation, engages with our internal survey platform, or our external partners’ survey platforms.

Purpose

In order to register the entry to and exit from a survey, allowing us to record participation and prevent re-entry to a survey, plus the responses provided during a survey (in the case of our internally hosted surveys). Under GDPR the legal basis for processing of this data is ‘legitimate business interest’.

Processing

We will log each entry attempt to a survey, including the IP address used, browser used, geographic location and date/time. We will also log the exit from a survey, including the status and date/time. Where a survey is hosted internally on our survey platform, we will also record the responses submitted to each survey question in order to analyse the survey data and report this to our clients in aggregate form. The exit from a survey will also trigger an entry into the Panelbase member’s account (logged on their ‘Credits’ page) as a record of their participation, including any reward earned, where applicable.

Retention

Survey entry and exit data will be stored for a period of 12 months from participation in order to allow for re-invitation or exclusion as may be necessary with certain projects. This information will also allow us to deal with any survey-related enquiries presented to us by Panelbase members. The data stored in the ‘Credits’ page of a Panelbase member’s account will be retained throughout the period they are a member of Panelbase and, for financial auditing purposes, for a minimum of 6 years following the financial year in which that entry was created. The actual responses provided within one of our internally hosted surveys will be stored alongside the unique ID of a Panelbase member for a period of 1 month following the delivery of aggregated reporting outputs to our client. At that stage, we will delete the unique ID from the survey data such that the survey responses can no longer be attributed or linked to the ex-Panelbase member. Survey data captured by our partners’ survey platforms is not stored on Panelbase systems and is subject to their retention and processing policies, which should be equivalent to those of Panelbase and verifiable at the point of entering each survey.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to contact Panelbase members to deliver re-contact survey opportunities to them.

MiniPolls™ Data

are typically single question polls but sometimes may involve 2 or 3 linked questions

Purpose

We use MiniPolls™ for two different purposes. They are mainly used by us when we don’t have sufficient profiling data in order to answer a client brief e.g. to understand the percentage of the population who match a requirement which we cannot derive from pre-existing profiling data. This often allows us to confirm project viability and to win new projects which are then delivered to Panelbase members. In some cases we may use MiniPolls™ to gather a quick response to a topical issue e.g. “What do you think of X which appeared in the news today?”. Sometimes we will use the outputs from such polls to support a post on social media e.g. Twitter. We also make the MiniPoll™ mechanism available to Panelbase members so that they can ask questions of the rest of the Panelbase community. Under GDPR the legal basis for processing of this data is ‘legitimate business interest’.

Processing

Where a MiniPoll™ is used to ascertain the penetration of a particular profile in response to a project brief, and where that project is subsequently commissioned, we will use the MiniPoll™ data to pre-select members for invitation to the new survey opportunity. Likewise, the MiniPoll™ responses may be used to exclude those who do not appear to match the required profile for such opportunities.

Retention

This data is retained for the duration that a member has an account with Panelbase. Once a Panelbase member unsubscribes or has their account deactivated, we will delete the unique Panelbase ID from the MiniPoll™ data such that the MiniPoll™ responses can no longer be attributed or linked to the ex-Panelbase member.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to contact Panelbase members to deliver survey opportunities to them, or to exclude them from survey opportunities for which they do not fall into the required target profile.

Financials Data

pertaining to rewards earned and withdrawn from the Panelbase member account

Purpose

This data is logged against each Panelbase member account in order to provide an accurate log of all the rewards earned and paid into, as well as any monies withdrawn from, that account. This data does not include any bank details that may be provided when submitting BACS withdrawal requests. Under GDPR the legal basis for processing of this data is ‘contract’.

Processing

This data is processed in order to provide Panelbase members with a summary of their account, to facilitate the withdrawal mechanisms, to provide internal reporting to Panelbase staff and for financial auditing purposes.

Retention

In order to comply with financial auditing legislation we have to keep this data for a minimum period of 7 years. This means that we will retain this data for a minimum term even if a Panelbase member has unsubscribed, been deactivated or has become inactive. Whilst GDPR provides individuals with the ‘right to be forgotten’, and for certain data to be erased at their request, this data is exempt from an individual’s right to be forgotten. We will delete this data following a period of 5 years beyond the retention period required to meet our legal obligations for financial auditing purposes.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to review or administer rewards earned or withdrawals made by a Panelbase member, dealing with membership support enquiries, or for summary reporting of financial transactions across the Panelbase membership.

Bank details

where a Panelbase member opts to withdraw their accrued survey rewards via the BACS method

Purpose

In order to process a rewards withdrawal via the BACS option and to pay such rewards to the account details provided by the registered Panelbase member. Under GDPR the legal basis for processing of this data is ‘contract’.

Processing

Bank details are exported once a week to a batch file which is stored temporarily on our secure servers. Those details are then uploaded to the Barclays bank website and processed by them as part of their ‘3-day payment’ process. Once the upload has completed and the details accepted by Barclays bank, the batch file is hard deleted from our servers.

Retention

The bank details provided at the point of submitting a BACS withdrawal request will be stored for a period of up to 7 working days prior to processing the withdrawal, and for a further 14 working days following the processing of the withdrawal. This allows us to process any amendments or queries pertaining to BACS withdrawals.

Security

This data is stored in a database that has controlled user access, those users only being allowed access for the purpose of fulfilling their remit e.g. to process BACS withdrawals or deal with member enquiries pertaining to BACS withdrawals.

Who we might share data with

We may need to share elements of your personal data with our clients who commission surveys, our partners who supply survey opportunities to us, or our data processing contractors. On occasion this may include identifiable data, such as your name, a unique reference number or other ‘tag’ which allows us to identify you or your address. In other cases this may be exclusively or include non-identifiable profiling data, as supplied by you in your Panelbase profile. We will always aim to minimise the amount of shared data, and the extent to which such data may be identifiable, in order to share only such data as may be necessary for any given purpose.

We may share your information in the following ways or with the following entities:

• Our clients, as described above;
• Our business partners, suppliers and sub-contractors for the purposes mentioned above;
• Our affiliates and selected third parties, who source and supply survey opportunities that we can deliver to you;
• Data enhancement agencies, to match consumer classifications or financial segmentations;
• Analytics and search engine providers that assist us in the improvement and optimization of our site;
• Banks and other financial institutions;
• Rewards fulfilment agencies or voucher supply companies;
• Law enforcement agencies, our legal advisers, courts, applicable independent adjudication services;
• The event that we consider selling or buying any business or assets, in which case we will disclose your personal data to any prospective sellers or buyers of such business or assets.

Some of the above entities may be based, or undertake data processing, outside of the UK. Where this is the case, we will always take steps to protect your information and your rights whilst complying with our legal obligations through the use of appropriate measures such as EU Approved, or equivalent, contract clauses. Further information on these measures can be found here:
European Commission - International dimension of data protection

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

The text below explains a bit more about which cookies a user of the Panelbase website may be exposed to, and why.

Origin: www.panelbase.net

Name

• ASPNET_SessionId
• ASPXAUTH
• ARRAffinity

Purpose

The ASPNET_SessionId cookie is essential for any users accessing our site to access forms. This includes login forms and registrations etc. This cookie is removed when you close your browser.

The ASPXAUTH cookie is used to signify you are logged in to our website. Without this cookie users are unable to remain logged in to our website. This cookie is removed when you close your browser.

The ARRAffinity cookie is used to deliver the website experience to your internet browser. It ensures that when the website is delivered through load balancing processes, your internet browser’s session is maintained through the same route/server. Without this cookie delivery of the website and user experience would be impacted. This cookie is removed when you close your browser.

Origin: Google Analytics

Purpose

These cookies are used by Google Analytics to store information, such as what time the current visit occurred, whether the visitor has been to the site before, and what site referred the visitor to the web page.

__utma – Collects data on the number of times a user has visited the website as well as dates for the first and most recent visit. This data is used by Google Analytics and only anonymised data is shared with Panelbase. This cookie expires after 2 years.

__utmb – Registers a timestamp with the exact time of when the user accessed the website. This data is used by Google Analytics to calculate the duration of a website visit and only anonymised data is shared with Panelbase. This cookie expires after 30 minutes.

__utmc – Registers a timestamp with the exact time of when the user leaves the website. This data is used by Google Analytics to calculate the duration of a website visit and only anonymised data is shared with Panelbase. This cookie expires when the internet browser is closed.

__utmt – Is used to throttle the speed of requests made to the server. This cookie expires after 10 minutes.

__utmv – Used to store visitor-level custom variable data. This cookie expires after 2 years.

__utmz – Collects data on where the user came from, and where applicable, what search engine they used, which link was clicked and which search terms was used. This cookie expires after 6 months.

More about Google privacy

Origin: go.panelbase.net

Name

The cookie name will be the same as the survey number. E.g. ‘W1234’

Purpose

These cookies are used to help ensure respondents aren’t able to take the same survey twice.

Origin: AccessMill

Metrixlab

Purpose

Survey-specific cookie - tracks exposure to advertising across the internet.

Origin: MediaMath

Name

Amnet-MediaMath

Purpose

Survey-specific cookie - tracks exposure to advertising across the internet.

Origin: Dentsu Aegis Network

Name

QC CCS Survey Tag

Purpose

Survey-specific cookie - tracks exposure to advertising across the internet.

Participation in surveys

Panelbase invites its members to participate in research tasks which typically take the form of, or involve, online surveys. Those surveys are either hosted by Panelbase, in which case we will store the responses provided within the surveys, or they will be hosted by our clients/partners. Where a survey is not hosted by Panelbase, each respondent is notified that they will be leaving Panelbase systems at the point that they enter the client/partner survey and so the responses they provide will be logged by that client/partner and will not be stored on Panelbase systems. In order not to influence survey responses, the identity of the client/partner cannot usually be revealed, however it is normally the case that the external survey platform will contain a link to that provider’s privacy policy and thus their details will appear within such material.

Participation in Panelbase surveys is entirely optional. At the point that a survey invitation is sent to a registered member, we will communicate the estimated length of the survey, the reward on offer for successful completion of the survey (which includes passing the associated Quality Control procedures) and a generic indication of the subject matter. Some projects may also include additional briefing information, where there is a specific task that is included as part of the project e.g. reviewing a website, providing diary entries over a specified number of days, or inviting a child or other household member to take part. There is no obligation for a Panelbase member, or any partner/client supplied respondent, to engage in a survey if they choose not to based on the information provided in the survey invitation or survey landing page. Indeed, a survey respondent can abandon a survey at any time if they choose not to proceed any further.

Data collected in relation to surveys, including entry/exit, survey responses, IP address, date/time and browser used, is captured, stored and processed in line with the table provided above.

Children

Panelbase only accepts registrations from UK residents aged over 16. Some of those members may tell us about children they have, and where those children are under the age of 13, additional information may be provided by the Panelbase member in respect of each child. This information is provided to us by the parent on the basis that they are the ‘responsible adult’ and so that we may match suitable surveys that are intended for their child(ren) to complete. All such survey invitations will be sent to the parent, who will make a choice as to whether they allow their child to engage in the survey in question. The parent will be asked to confirm their identity and that they are a responsible adult in respect of the child being invited to engage in the survey. The child will also be given an opportunity to not engage in the survey, as there is no obligation for them to do so even if their parent has consented and invited the child to engage in the survey.

Under the GDPR, and based on the UK’s interpretation of this important legislation, a child aged 13 or over has a legal right to, and control over, any information held about them. Accordingly, we will not retain any data previously supplied to us in relation to a child, at the point that the child reaches the age of 13. Any such data will be automatically deleted from our systems. We will however continue to store data pertaining to the adult in respect of them having a child, the age of that child and their gender as this data is still legally owned by and applicable to the parent. We may use this data to send research opportunities to the parent based on the fact they have a child of a certain age and/or gender.

In the case of our partners or clients supplying respondents under the age of 16 to participate in any of our surveys, the same rules will apply in terms of how the child engages with our systems.

Information security

Not only are we obliged to by law, but we take the handling of our members’ personal data very seriously. We take great care to store all data securely and to handle all data in line with the service that we provide to our members. Our technical infrastructure adheres to industry best practice and adopts many of the requirements of ISO27001, which is the internationally recognised standard relating to Information Security Management Systems.

When you interact with Panelbase via our website, your connection with our servers is encrypted using Extended Validation Secure Socket Layer (EV SSL) 256-bit encryption. This is an enhanced level of protection which involves our company being validated by Thawte Inc., who are a leading Certification Authority.

We suggest that our members treat their Panelbase account details as secure as they would for any other service containing their personal data, such as online banking. This means that usernames and passwords should not be shared with other people. If you suspect that your Panelbase account details may have been compromised, please contact us immediately and we will assist you in protecting your personal information.

Changes to the Privacy Statement

We reserve the right to make changes to this Privacy Statement to reflect changes in legislation, best practice, or simply to reflect improvements or other changes that may be necessary from time to time. We will always notify members of a change having been made, by publishing the updated Privacy Statement on our website. We recommend that members refer to our Privacy Statement regularly in order that they remain familiar with its contents. Continued usage of this website and interaction with Panelbase reflects continued acceptance of both this Privacy Statement and our Terms & Conditions.

Your rights

GDPR provides individuals with greater control over their data. Your rights under GDPR are summarised below:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure (often referred to as the ‘Right to be forgotten’)
• Right to restrict processing
• Right of data portability
• Right to object
• Right to withdraw consent
• Rights related to automated decision making and profiling
• Right to complain to the ICO

To read more about your rights under GDPR, please click here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

If you wish to exercise any of your rights under GDPR in relation to your relationship with Panelbase, please send us an email at DPO@panelbase.com.

Subject Access Requests

Under GDPR you have a right to access the data that we hold about you – this is known as a Subject Access Request (“SAR”).

You can only make a SAR in relation to a Panelbase account that belongs to you. In exceptional cases, a SAR may be requested by someone who has delegated authority to make such a request on behalf of the registered Panelbase member, however we will require evidence of such authority having been delegated by the Panelbase member to whom the SAR is applicable. In all cases, we reserve the right to request proof of identity in order to ensure that we are discussing account details and disclosing data only to the person who has a legal right to access such data.

To read more about SARs please visit the ICO website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/.

In order to submit a SAR to Panelbase, please send an email to our Data Protection Officer at DPO@panelbase.com, detailing the nature of your request i.e. which data you are requesting and which timeframes the request pertains to.

Communicating with Panelbase

All member enquiries should be directed to support@panelbase.zendesk.com. This is a 3^rd-party enquiry management and ticketing system which is used by many businesses in many sectors for the purpose of managing membership communications. More information about how Zendesk operates its platform can be found here https://www.zendesk.com/company/policies-procedures/. When you send an enquiry to Panelbase using support@panelbase.zendesk.com your personal details (name, email address, and any data you include in your communications with us via this platform) will be stored within Zendesk’s systems. All Panelbase enquiries received and handled through the Zendesk platform are accessed exclusively by Panelbase personnel based in the UK and solely for the purpose of providing membership support services.

Contact details

You can find Panelbase’s contact details, including postal, telephone and email, below.

Panelbase
The Mill
Hexham Business Park
Burn Lane
Hexham
Northumberland
NE46 3RU

UK freephone: 0800 195 8492 [from overseas +44 (0)1434 611164]

General email enquiries: support@panelbase.zendesk.com

Our Data Protection Officer’s contact details are: Privacy Crowd Limited (trading as ‘Privacy Partnership’), 92 New Cavendish Street, London, W1W 6XJ. All enquiries pertaining to data privacy, or to submit a SAR, should be sent to DPO@panelbase.com.