1. Company background
Breathe (Breathe Research Ltd) are a market research consultancy and are committed to maintaining the industry standards of the Market Research Society and ESOMAR. We are ICO registered and an MRS Company Partner, ICO registration number Z3043419. We are based at our offices at: The Officers’ Mess, Coldstream Road, Caterham, Surrey, CR3 5QX and our registered address is: C/O Sempar Accountancy and Tax Limited, Lymedale Business Centre, Lymedale Business Park, Hooters Hall Road, ST5 9QF.
2. What we do
Breathe comply with the Market Research Society’s Code of Conduct and guidance on data handling. This has specific provision for personal data and we will handle and manage any personal data with respect. We will collect, store and manage it in an unbiased and secure way. We will only use your data for purposes that we have informed you about. We will always be transparent about the personal data we collect and its use.
We will ensure that all personal information supplied is held securely and in accordance with all applicable Data Protection legislation including GDPR. We have tried to make this document as simple as possible, but if you cannot understand any elements of it or you are not familiar with the terms used then please do contact us and we will endeavour to explain any elements to you. As we are a market research company some of the terms might be specific to our industry so please do ask if you aren’t sure what any meanings may be.
Please take a moment to familiarise yourself with our privacy practices and let us know if you have any questions by sending us an email or submitting a request to firstname.lastname@example.org or call us on 0208 668 9377. You have the right to object to the use of your personal data so you can contact us at any time to change your preferences.
3. What data is collected
Through our work we collect data some of which is personal data. Personal data means any information that can be used to identify directly or indirectly a specific individual. This may include but is not limited to:
3.1 Personal data you give us directly. We collect data about many things dependent on the project we are running for example how you shop, where you shop, what your opinions are, how you use services and products, the types of content you view or engage with, or the frequency and duration of your activities. We also collect personal data you provide us when you sign up for a project such as completing a survey, send us photos or videos, emails or texts. In so doing, we may ask for personal data, such as your name, gender, date of birth, address, email address, telephone number. Some projects might require us to collect special categories of personal data (e.g. ethnicity or religious view) about you only with your explicit consent.
3.3 Personal data we hold from other sources. We may be given data from clients about their customers. All of our clients are bound by their own privacy policies, data protection regulation and GDPR. This is also as per the MRS guidelines and ESOMAR standards. This data relates to who their customers are and what they do with their products and any other information they hold on their customers with customers approval. We may also receive information about your interactions with certain advertising activities in order to measure advertising effectiveness.
4. How we use personal data
We collect, process and hold your personal data only for specific and limited purposes. The data collected on the subject matter of the project i.e. your opinions is always anonymous unless specific permission is given by you in writing. These opinions may be aggregated with others and shared with the client body of the project only for the purposes of market research, unless other permissions have explicitly been obtained from you. Other data may be used for other purposes including, but not limited to, processing payments to you, to assess and handle any complaints, to develop and improve our services, communication methods and the functionality of our website. This can be for the purposes of competitions you may have entered in to as part of the research process.
We may also create profiles by analysing the information collected about your behaviours, about your online surfing, searching and other online behaviour. This may also include your interactions with our clients’ brand communications, products and services. This can include the use of building segments (i.e. creating groups that have certain common characteristics) and by placing your personal data in one or more segments.
Additionally, Breathe may also collect and processes your personal data using automated means. These automated means are where no human is involved in the process related to your personal data. This may be used to understand and assess the interests, wants, and changing needs of consumers, to improve our website, our services.
When we collect and use your personal data for purposes mentioned above or for other purposes, we will inform you before or at the time of collection. Where appropriate, we will ask for your consent to process the personal data. Where you have given consent for processing activities, you have the right to withdraw your consent at any time.
5. Who data is shared with
As a market research business Breathe might share your personal data with selected third-parties in the following circumstances:
• Legal disclosure. We may transfer and disclose your personal data to third-parties:
• To comply with a legal obligation;
• When we believe in good faith that an applicable law requires it;
• At the request of governmental authorities conducting an investigation;
• To respond to an emergency; or otherwise
• To protect the rights, property, safety, or security of third-parties, visitors to Breathe ’s websites, Breathe or the public.
6. International data transfer
Breathe may share personal data internally or with third-parties for purposes described in this Privacy Notice. Breathe will only send personal data collected within the European Economic Area (EEA) to foreign countries in circumstances such as:
• To follow your instructions;
• To comply with a legal duty; or
• To work with our agents and advisers who we use to help run our business and services or thirdparty partners who may be conducting a service on our behalf.
• If we do transfer personal data to outside of the EEA, Breathe will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of the following safeguards:
• Transfer to a non-EEA Country whose privacy legislation ensures an adequate level of protection of personal data to the EEA one;
• Put in place a contract with the foreign third-party that means they must protect personal data to the same standards as the EEA; or
• Transfer personal data to organisations that are part of specific agreements on cross-border data transfers with the European Union (e.g., Privacy Shield, a framework that sets privacy standards for data sent between the United States and the European countries).
7. How we take care personal data
Breathe takes the security of your data extremely seriously. We make every effort to protect your data from being lost, changed, accessed or changed.
We have many protocols, policies and systems to achieve this by as adopting up to date industry standards, such as secure access controls, having up to date information technology, strong security to make sure our IT systems are safe and well protected. We do this with such methods including but not limited to encryption, anonymisation and pseudonymisation. Your data will only be seen and used by a controlled number of employees who are related to that specific project and only when they actually need to know that information. This information is not shared directly with client organisations unless specific consent is given by you. It is only the findings of research projects that are shared with clients and in that case all data attributable to you is anonymised. All of which is subject to contractual confidentiality agreements when handled or used by third party partners.
8. The length of time we keep personal data
We will keep your data for as long as we need it for the purpose it is being processed and used for. We retain the identifiable data we may hold from you or collect from you for as little time as possible, after which we employ measures to permanently delete it. Where we can, we will anonymise any data from you when there is no longer a legal, business or logistical need for it to be retained. Any other personal data will be deleted.
9. Your rights
Where we hold or process your personal data, you have a number of rights over how the data is processed and can exercise these rights at any point. You can exercise your rights by sending an email or submitting a request through to us at the email: email@example.com or call us on 0208 668 9377 to discuss the matter.
• The right to be informed or your rights. We are bound to provide you with clear and easily understandable information about how we use your personal data and your rights which we hope this document is doing.
• The right to object. Under certain circumstances, you have the right to object to certain types of processing, including processing for direct marketing, but here at Breathe we will never use your data for the purpose of direct marketing. We may also use your personal data for any public task (for the performance of a task carried out in the public interest) and you have the right to object to this. There may be other legitimate interests which apply that have not been listed
• The right to data access, amendment and correction. You have the right to access, correct or update your personal data at any time. Should you want to exercise your rights we understand how important this can be to you so please contact us on the details above.
• The right to data portability. All or some part of the personal data you have provided us with may be portable. In these cases, it means it can be moved, copied or transmitted electronically under certain circumstances.
• The right to be forgotten. You have right to request that we delete your data in certain circumstances. If you require us to delete all or part of your personal data, we hold please contact us and let us know and we will take all reasonable steps to accommodate your request as per our legal obligations. When the personal data we collect is no longer needed for any purposes and we are not required by law to retain it, we will do all we can to delete, destroy or permanently de-identify it.
• The right to restrict processing. Under certain circumstances, you have the right to restrict the processing of your personal data.
• The right to lodge a complaint with a Supervisory Authority. You have the right to lodge a complaint directly with any local Supervisory Authority about how we process your personal data. The current supervisory authority for national data protection in the UK is the Information Commissioner’s Office (ICO): https://ico.org.uk/
• The right to withdraw consent. If you have given your consent to anything we do with your personal data (i.e. we rely on consent as a legal basis for processing your personal data), you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your personal data with your consent up to that point is unlawful). You can withdraw your consent to the processing of your personal data at any time by contacting us with the details provided below.
• Rights related to automated decision-making. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects on you. In particular, you have the right:
• To obtain human intervention
• To express your point of view
• To obtain an explanation of the decision reached after an assessment; and to
• Challenge such a decision.
We currently do not have any automated decision-making processes at Breathe but this does not exclude the use of any data obtained in the future being used in this manner.
Further information and advice about your rights can be obtained from the ICO https://ico.org.uk/
How to contact us
If you have any questions at all or any issues relating to potential infringements, or requests then please do contact Breathe in one of the following ways, email us at firstname.lastname@example.org or call us on 0208 668 9377 to discuss the matter. You can of course make the request in writing at the address at the start of the document. We have a designated data controller who will be able to handle any matters relating to this that you wish to discuss.
Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the ICO. If you ask us, we will endeavour to help you as much as we can as well as what we are legally obliged to do so.
We will update this Privacy Notice when necessary in line with legal requirements as well as industry best practice.
We will not reduce your rights under this Privacy Notice without your consent.