Human8 undertakes to respect the applicable data protection legislation as specified in Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (hereafter “General Data Protection Regulation” or “GDPR”).

Furthermore we are a member of the European Society for Opinion and Marketing Research (“ESOMAR”), an international organisation that focuses on developing better market research methods. In addition we adhere to the professional standards which ESOMAR sets out for its members.

This Privacy Statement explains how we process personal data at Human8, consisting of: (i) Human8, with registered office at Evergemsesteenweg 195, 9032 Ghent (Belgium) and registered with the Crossroads Bank for Enterprises under the number BE0837.297.070; and (ii) its subsidiaries and affiliates (see contact details below or click here) (jointly and each hereafter “Human8”, “our”, “us” or “we”).

Human8 is a group of consumer insight agencies that runs online communities and panels in which we invite consumers to share their view on our clients’ businesses, products and services. We offer our clients ancillary services to these communities such as analysis on global consumer trends.

At Human8 we believe in protecting the privacy and the confidentiality of the Personal Data we hold of you. We acknowledge that you may have privacy and security concerns with respect to the Personal Data we collect, use, and possibly disclose to third parties for the purpose of allowing us to provide our products and services to our clients, and more in general, to conduct our business as a group of market research companies. To this end, we have developed this Privacy Statement (hereafter “Statement”).

It should be clear that this Statement only applies to the processing of Personal Data by Human8 (I) acting on behalf of our clients when carrying out our Market Research Activities as a data processor; and/or (II) acting on our own behalf when carrying out our Business Activities as a data controller.

All processing of Personal Data by Human8 will be treated in accordance with applicable data protection legislation and this Privacy Statement.

This Statement sets out how Human8 processes Personal Data collected via:

(I) the market research products and services we offer to our clients, e.g. the collection of information through surveys, panels, communities (such as “Square”), interviews or any other form of market research tools (hereafter “Market Research Activities”);

Some examples:

- your participation in one or several of our Market Research Activities (e.g. questionnaires, panels, surveys, polls, communities or any other market research tool);
- your participation in one or several of our prize competitions; and
- all information you actively provide us with during such participations.
- when you contact us via our Websites, by e-mail, post, telephone, by exchanging business cards, by submitting a request to exercise your rights,…;
- when you engage or maintain a contractual relationship with us;
- when you apply for a job with us;
- when you subscribe to our newsletter;
- when you leave a comment on our Websites;
- when you request a download;
- Via the use of strictly necessary cookies on our Websites, or non-strictly cookies with your consent.

(II) the different websites we use, such as http://www.wearehuman8.com/, https://www.futuretalkers.com/, http://www.howcoolbrandsstayhot.com/> (jointly and each hereafter “Websites”) and all activities and services relating to conducting our business in general (e.g. administrative, technical, financial or either commercial activities and services) (hereafter “Business Activities”).

If necessary a distinction will be made between our Market Research Activities and Business Activities.

This Statement addresses our practices regarding the use of such information, the steps we take to protect it, as well as the choices and rights that you, as data subjects (“you” or “your”) have regarding the processing of your Personal Data. Data subjects involved can vary from:

(I) consumers/participants when carrying out our Market Research Activities; and/or

(II) every user of our Websites, recruitment applicants, subscribers to our newsletters, personal or corporate clients (and individuals associated with our corporate clients), suppliers (including subcontractors and individuals associated with our suppliers and subcontractors), business contacts (existing and potential clients and/or individuals associated with them), or any other individuals who get in touch with us when carrying out our Business Activities.

Unless we may otherwise communicate to you, and depending on the specific situation, we act in the capacity of controller, processor or joint controller when processing your Personal Data.

This distinction is relevant because it determines our responsibilities towards you, as a data subject and our obligations towards possible other actors involved, such as our clients. Our qualification also determines to what extent this Statement applies to the activities we carry out when processing your Personal Data, as explained hereafter.

(I) Market Research Activities

Where we carry out our Market Research Activities and we obtain Personal Data of you as a participant involved in such activities, we process your Personal Data on behalf of our clients. Our clients always act as controller of your Personal Data.

Human8 processes your Personal Data in accordance with the instructions of our clients in our principal position of processor of our clients. As regard this situation, our clients conclude a contract and data processing agreement under Article 28 GDPR with Human8.

Where Human8, together with our clients, exceptionally would determine the purposes and/or the essential means of the processing of your Personal Data in the course of carrying out the requested Market Research Activities, we will, together with our clients, qualify as joint controller with regard to your Personal Data. As regard this situation, our clients conclude a contract and together with our clients we concluded a so-called joint controller arrangement under Article 26 GDPR.

(viii) Information about the processing of Personal Data according to Articles 13 and 14 GDPR is provided jointly by both controllers to data subjects through privacy policies published on their official websites, and in particular this Statement.

(II) Business Activities

Where we carry out our Business Activities and we obtain Personal Data from you as a visitor to our Websites, an applicant, a subscriber to our newsletter, a client, a supplier, a business contact or as another individual who gets in touch with us, we process your Personal Data on behalf of the Human8. The entity of the Human8 to who you initially disclose your Personal Data acts as (initial) controller of your Personal Data.

However, in general most of our administrative, technical, financial, commercial and/or legal processing activities and services are performed centrally, at the level of our ultimate parent company (Human8) via so called centralized units. As regard this situation, Human8 and its subsidiaries and affiliates act as joint controller with regard to your Personal Data and within the Human8 an Intra-Group Agreement is concluded of which a joint controller arrangement under Article 26 GDPR is part.

(viii) Information about the processing of Personal Data according to Articles 13 and 14 GDPR is provided jointly by both controllers to data subjects as per this Statement.

Furthermore it remains possible for an entity of the Human8 to receive services directly or indirectly from one or more of the other entities of the Human8 (other than the ultimate parent company) via so called project services units or client services units. This is specifically the case, but not necessarily limited to, the situation where a local entity is carrying out Market Research Activities on behalf of our clients and requests the help of another local entity with regard to such Market Research Activities. As regard this situation, the entity of the Human8 providing its services to the other entity of the Human8 acts as (sub)processor with regard to your Personal Data and within the Human8 an Intra-Group Agreement is concluded of which a data processing agreement under Article 28 GDPR is part.

In accordance with Articles 13 and 14 GDPR this Statement provides you with information about the processing of Personal Data by Human8 on behalf of our clients (when carrying out Market Research Activities) and on behalf of the Human8 (when carrying out Business Activities).

Should you have any comments or questions about this Statement, or the processing of your Personal Data related hereto, you can contact the Human8 DPO via the contact information provided below in section 8.2 or click here.

In particular, with regard to our Market Research Activities, we provide the information as per this Statement on behalf of our clients and as part of our services to our clients. However, where Human8 acts as processor, we cannot be held accountable if this information would not be sufficiently providing you with the necessary information. Our clients as controller remain individually responsible to inform you about their specific use of your Personal Data. Such information will be provided to you separately in so far this would deviate from the Market Research Purposes as set out hereunder.

We will identify our clients, in their capacity of controller, at the beginning of each Market Research Activity we carry out on behalf of our clients, and we will provide you with all relevant contact details of our clients. However, in the exceptional case where identifying our client at the beginning of a specific Market Research Activity would have significant consequences on the results of such Market Research Activity we can decide to name our client at the end of such activity. In such an event, and before processing your Personal Data, we will make clear to you that our client will be named at the end of the Market Research Activity and we will provide necessary assurances that your Personal Data will be deleted if at the point our client is revealed you object, wish to withdraw your consent and/or no longer wish to participate. In any case Human8, regardless of its qualification and as part of its services to our clients, is mandated to handle or respond all your privacy related questions, request and/or complaints on behalf of our clients.

If after reading this Statement you still have any questions about how our clients use your Personal Data (including via us), you can contact the Human8 DPO via the contact information provided below in section 8.2 or click here. We will in any case forward all necessary information to our clients and make sure your questions, requests and/or complaints are handled and responded correctly.

A) Market Research Activities:

The Personal Data collected and processed by Human8 is generally received from you voluntarily and directly. In relation to the Market Research Activities we carry out on behalf of our clients it is possible that we receive your Personal Data from other sources, such as our client’s database, list brokers, our panel website or via advertising.

B) Business Activities

If we carry out our Business Activities and we obtain Personal Data, we process and disclose this information as follows:

C) Additional information

In case we obtain your Personal Data from other sources we will inform you, at the moment of first contact with you (e.g. when inviting you to participate to a Market Research Activity) and by bringing your attention to this Statement, of the fact that we hold Personal Data of you, the source your Personal Data originates from and whether it came from publicly accessible sources, and for what specific purposes we intend to retain and process your Personal Data.

If we have contacted you and you would like your Personal Data to be removed from our database we will remove you from our database as soon as reasonable practicable. In addition, we will inform any other sources and/or recipients of your Personal Data about such request and request them to do the same.

Unless we may otherwise communicate to you and under the condition we have a legal ground for doing so, Human8 will only use your Personal Data for these above mentioned purposes. If we intend to use your Personal Data for other purposes other than communicated to you, we will inform you in advance. For example: we will not use your Personal Data for advertising purposes unless you have freely given your explicit and prior consent.

Where Human8 relies on your consent for the processing of your Personal Data we shall make sure our client, or we on behalf of our client, have obtained your proper informed, specific, active and unambiguous consent. Please note that you can withdraw your consent at any time. For more information on how you can do this, see section on “Your Rights” or click here.

Where Human8 relies on our legitimate interest as a legal ground, we will mitigate the effect(s) this processing of your Personal Data might have on your privacy by appropriately minimising our use and putting in place adequate access and security safeguards to prevent unauthorised use.

In case of profiling as a purpose, it is not intended to have legal effects that would significantly affect the data subject. The consequences of this purpose is to categorize individuals in a general way for marketing purposes.

Please note that all retention periods related to the Personal Data we process on behalf of our clients, when carrying out the requested Market Research Activities, are determined by our clients. Human8 can only keep such Personal Data during the term of the data processing agreement with our clients after which we must return or erase all Personal Data, as our clients may choose. Our default is to remove personal data 2 years after the work has ceased, or 7 years for financial data/transaction purposes.

Human8 takes the security of all Personal Data we process (e.g. when carrying out our Business Activities or in connection to our Market Research Activities) seriously. Therefore we have implemented appropriate technical and organisational measures to secure the processing of Personal Data. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. If appropriate, the safeguards include the encryption of communications via for example SSL, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to our staff members and third parties that require access to such information for legitimate and relevant business purposes.

Human8 (via its affiliate Human8) is ISO 27001 certified for Information Security Management (certificate number IS 71404) and can therefore demonstrate appropriate technical and organisational measures that are equivalent across all jurisdictions whether within or outside the EU. The same technical and organisational measures, which are centrally organised and managed by Human8, are also implemented in the organisation of the other entities of the Human8. Each entity of the Human8 has made contractual guarantees to comply with those same technical and organisational measures at all times.

All our staff members, contractors and third parties who will have access to your Personal Data on Human8 ’ instructions will be bound to confidentiality and we use security measures and access controls to limit access to individuals that require such access for the performance of their responsibilities and tasks.

We will only share your Personal Data with others when we are legally permitted to do so and where it’s necessary to fulfil the purposes related to those described above. When we disclose Personal Data to others, we put contractual arrangements and security mechanisms in place to protect the Personal Data and to comply with our own data protection, confidentiality and security standards.

Personal Data we hold could be transferred:

- to our clients

By carrying out our Market Research Activities on behalf of our clients we obtain and process information of you as a participant. If you participate in online surveys, polls or discussions or post material in the community, your screen name and the information you post will only be visible to us, the other participants in the community and to our clients. Any posts you make to a survey, poll or discussion in the community will in principle only be associated with your screen name. If you post any personally identifiable information yourself, we may at our discretion remove this for your own security. We recommend that you choose a screen name which does not resemble your real name.

We process this information on behalf of our clients and sharing this information with our clients is necessary for delivering our products and services to our clients. In this context it is possible that we share photos, image recordings, sound recordings or full datasets (e.g. answers to survey questions to help inform them about specific elements of their offer) we hold of you. However, we will only do so when we have obtained your explicit consent to such transfer.

Our Client may combine data collected from the Market Research Activity carried out by us on behalf of our clients with other data that they may hold about you. This Statement does not describe our client’s specific uses of your personal data, which information will be provided to you separately if this would deviate from the Market Research Purposes as set out above, but if you are not happy with your responses being used in this way, you should notify us prior to agreeing to participating to one of the Market Research Activities for which you are invited and for which you need to accept this Statement and any relevant terms and conditions of use. We can then determine with the client whether the use of your data can be limited and in that case whether it is possible to take part in the specific Market Research Activity.

We will not share Personal Data obtained in connection with providing our products and services to one client, with another client. We will also not sell, rent or lease this information to other third parties nor will we enrich our own database with such information or allow a third party to do so.

- within the Human8

We may share your Personal Data within our global network of corporations when this is necessary for carrying out our Market Research Activities and/or Business Activities and for the purpose for which your Personal Data was collected as set out above. For details of our subsidiaries and affiliates, please see contact details below or click here.

- to our Service Providers

Where necessary we use third parties to support us in providing our services and to help provide, run and manage our internal IT systems or (internal) business processes and ask them to perform certain tasks on behalf of us. We use services of providers of information technology, cloud based software as a service provider, Website hosting and management, data analysis, recruiting software, data back-up, security and storage services. Please find a list of our sub-processors via this link: https://info.insites-consulting.com/sub-processors/

We will only disclose or make accessible such Personal Data to these service providers to the extent required for the respective purpose. This data may not be used by them for any other purposes, in particular not for their own or third party purposes. In addition, our service providers are contractually bound to respect the confidentiality of your personal data through a so called “Data Protection Agreement”.

When you participate to our incentive system, we may have to share your Personal Data (e.g. name, e-mail address, …) with third parties that help us take care of our incentive handling.

- law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation:

We reserve the right to disclose any and all pertinent information to law enforcement or other third parties with the authority to acquire Personal Data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights. We will only fulfil requests for Personal Data where this is necessary and appropriate and where we are permitted to do so in accordance with applicable law or regulation.

- inside and outside the European Economic Area (“EEA”)

We are a global network of corporations with entities established inside and outside the EEA and we can make use of third party service provides based outside the EEA to help us run our business. As a result, your Personal Data may be transferred outside the EEA. Under certain conditions the GDPR allows Human8 to transfer Personal Data to such third countries.

In the context of international research projects Human8 may also invite you to take part in research projects of both national and international business clients or partners, again including possible transfers outside the EEA .

In any case, we have taken steps to ensure all Personal Data is processed respecting adequate levels of security and that all transfers of the Personal Data outside the EEA take place in accordance with applicable data protection legislation and that there will be an appropriate level of protection. We will implement legal safeguards governing such transfer, such as standard contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements. We evaluate each transfer and if necessary we conclude a SCC with the third party. Within the group we have concluded an intragroup agreement.

The GDPR provides you with certain rights in relation to your Personal Data.
These rights are listed below. Please contact us if you wish to exercise any of the rights below. You can find our contact information below or click here .

Please be aware that certain exceptions apply in exercising these rights which means you may not be able to exercise these in all situations:

- Right to access and copy: You have a right to have access to your Personal Data held by us.
- Right to amendment or rectification: You can ask us to have inaccurate Personal Data corrected.
- Right to erasure (‘Right to be forgotten’): You can ask us to erase your Personal Data in certain circumstances and we will take reasonable steps to inform data processors that are processing the Personal Data on our behalf that you have requested the erasure of any links to, copies or replication of your Personal Data.
- Right to restriction (‘limit the processing’): You can require certain Personal Data to be marked as restricted and also restrict processing in certain other circumstances.
- Right to portability: You can ask us to transmit the Personal Data of you to a third party electronically insofar as permitted under the GDPR.
- Right to complaint: If you have a complaint about the processing of your Personal Data by Human8 we will do our utmost best to resolve this complaint. In addition, you have the right to raise a complaint about our processing with our lead supervisory authority and/or your local supervisory authority. You can find relevant contact details below or click here.

In addition, under certain conditions, you have the right to:

- Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw your consent at any time. All our newsletters contain an unsubscribe button in the footer of that e-mail. Please note that the withdrawal of your consent does not affect the lawfulness of the processing of your Personal Data prior to your withdrawal.
- Right to object: You have the right to object to any processing of Personal Data that Human8 justifies on the “legitimate interests” legal ground, unless our reasons for undertaking that processing outweigh any prejudice to the individual’s privacy rights; and to object to direct marketing (including any profiling for such purposes) at any time.

Exercising your rights is in principle free of charge. If your request appears to be unfounded or frivolous, we may charge you a reasonable fee in order to cover our own administrative costs. In such cases, however, we may also simply opt to decline your request. You will then be notified of the reasons for this.

In any case, we will always notify you within a period of four weeks (for simple requests) or 3 months (for complex or multiple requests) of the response to your request

Human8 reserves the right to revise and update this Statement at any time. The date of the last update can be found at the top of this Statement and the most recent version will always be made available on our Websites. Therefore, you should review our Websites periodically so that you are up-to-date on our most current policies and practices

We use cookies, and other online identification technologies such as web beacons, or pixels to provide users with an improved user experience. See link. https://www.insites-consulting.com/cookie-policy/

Each entity of the Human8 can be contacted via the following contact details. However should you have any comments or questions about this Privacy Statement or the processing of your Personal Data by Human8, we advise you to contact the Human8 DPO acting on behalf of the Human8.

We have appointed a data protection officer which is internally supported by a number of persons responsible for data protection related issues in general. We also use external legal advisors in this respect. Any privacy related questions, data subject requests and/or complaints can be addressed to the InSites Consulting DPO:

- Via e-mail: dpo@insites-consulting.com
- Via telephone: +32 (0)9 2691500
- Via postal mail: attn. InSites Consulting DPO
Evergemsesteenweg 195
9032 Wondelgem
Belgium

For the avoidance of any doubt the InSites Consulting DPO acts on behalf the InSites Group. Where InSites Consulting acts as processor or joint-controller with our clients, when carrying out our Market Research Activities on behalf of our clients, and as part of our services to our clients, the InSites Consulting DPO is appointed as single contact point. At your choice you may address your questions, request and/or complaints to the InSites Consulting DPO who is mandated to handle such requests or complaints on behalf of our clients or to our clients directly.

In accordance with Article 27 GDPR we have designated InSites Compages NV as the representative for the entities of the InSites Group established outside the EEA. InSites Compages NV, and in particular InSites Consulting DPO acting on behalf of the InSites Group, shall act as middleman between you as a data subject and the entities of the InSites Group outside the EEA that may process your Personal Data when carrying out Market Research Activities and/or Business Activities.

In accordance with Article 56 GDPR we have appointed the Belgian data protection authority as our Lead Supervisory Authority, considering the main establishment of the InSites Group is based in Belgium. The Lead Supervisory Authority will be primary responsible for dealing with our cross-border data processing activities. We therefore advice you to address any complaint you may have about the processing of your Personal Data by InSites Consulting to this authority. Notwithstanding the foregoing you have the right to raise a complaint about our processing with your local data protection authority.

For contacts details of any other local data protection authority (not provided hereunder) we would like to refer you to: https://edpb.europa.eu/about-edpb/board/members_en