Who we are
Sarid Research Institute LTD. (hereafter: “Sarid”), is a market research firm which is based and operates from Israel. The scope of our operations is diverse and our reach is global.
The General Data Protection Regulation (GDPR) is a European regulation which has come into effect at 25th of May 2018, and applies for any body which collects or retains data on EU citizens.
We at Sarid Research Institute value privacy and data security, and we strive for full compliance with the GDPR. We are aligned with the ethical code as defined by ESOMAR. We are also ISO 27001 and ISO 27799 certified (Information security management systems and Information security management in health, respectively).
Our role as a controller and as a processor
You can think of it like a banker which saves and invests its customers’ money, according to the customers’ wishes. In this analogy the bank is the processor and its customers are the controllers.
As a market research firm we operate both as a controller and as a processor. We are highly involved in any market research project we issue and we determine what information to gather, and how to analyze it.
The GDPR differentiates controllers and processors and has guidelines for the two. Controllers are organizations which determine the purpose of data collection, while processors are organizations that hold data or analyze it on behalf of the controllers.
Your data
Types of data we collect in surveys
The data we collect highly depends on the specific project. Most of the time this data will contain information which is used as means of contact and also for validation of the respondent answering the survey. Such examples are: first and last names, email, mobile phone number, IP addresses, country of origin, etc. This type of information is defined as “personal information” according to the GDPR.
In addition to the personal data, we also collect data which serves the purpose of the project and regards the specific client of each project. For example: the satisfaction of customers, interest in new products or features, attitudes to various ideas and more.
We strive to retain all data indefinitely, but we guarantee its retention for seven years. Upon a client’s request (or a respondent’s request) we will delete the data for that specific project/respondent.
For a GDPR Data Map regarding a specific project, please contact [email protected].
Where do we keep your data? (as a survey respondent)
This depends on each project. The following description matches most of our projects:
Firstly, before initiating the data collection, we may receive a list of contact details from a customer. This is done in projects like customer satisfaction/VoC surveys, where we must reach a designated population of contacts. This list of contacts is sent to us as an excel file, transferred via a file transfer protocol or email (depending on scope or magnitude). In specific cases (ongoing surveys) it may also be transferred on a secure API call.
When we collect the data online, it is done via a sub-processor, SurveyGizmo, which is a surveying platform. We have an enterprise account, which includes two separate (identical) platforms: one in the US and one in Europe. According to the nature of each project and to requirements of our customers, we decide together with each customer, if the data should be collected on the EU platform or the US platform. Both platforms run on an AWS facility, and have a strict privacy and security policy. To read more about our sub-processor surveygizmo, go to: https://www.alchemer.com/privacy/gdpr/ and https://www.alchemer.com/privacy/.
Once the data collection is complete we conduct data analysis. Most of the times the data is statistically analyzed (not at the individual record, but in an aggregated sense).
The analysis may take place at our facility in Haifa, Israel (locally), once the data analysis is completed the analyzed data is sent to the client as a presentation, excel files, or document.
Portions of the data may also be stored on our G Suite business account (google’s cloud service), and is subject to the google data processing amendment v2.1:
(see https://gsuite.google.com/terms/dpa_terms.html).
In some projects, we generate a dashboard which is stored in the cloud, on a service provided to us by RStudio (“shinyapps.io”), which is located in an AWS facility in the US.
(see https://www.rstudio.com/about/rstudio-and-the-gdpr-what-you-need-to-know/).
Why do we process personal information?
When we process personal information, we do that to supply our customers with market research services, as part of a job we were hired to do. Mostly, we use the personal information for two purposes:
Validation — to make sure we are surveying the right person, and to make sure there is no abuse, i.e., no attempts to answer more than once or by someone who is not supposed to answer the survey.
To provide our client with means of “follow-up”, if for example, one of their customers had issues a complaint which should be handled.
Note that this is a general description that may change between different projects and clients. We may use the personal information for other project specific purposes, or may not use personal information at all (i.e., collect the data anonymously).
Accountability and Management
Appointment of a data protection officer
The scope and nature of the data we collect does not mandate a data protection officer (DPO), since we are not a public authority, nor do we conduct regular and systematic monitoring of data subjects on a large scale – most of our projects are small samples and/or are a “one-time” data collection effort. However, we have appointed a partner which will be available to any questions or concerns, regarding privacy and data protection.
Dr. Adi Sarid,
Partner and Head of Data Science and Operations Research Department.
Contact Adi at [email protected], Phone: +972-4-8413030, or in the form at the bottom of this page
Awareness among decision-makers
All key persons and stakeholders at Sarid have been briefed regarding the GDPR and privacy issues. We also conduct internal audits and training sessions regarding information security. Once a year we conducted an external audit as part of our ISO 27001 and ISO 27799 certification process.
Staff training in data protection awareness
We train and brief the staff before each project we start. This brief includes the goals of the project, the details of what information is gathered and why, how to treat various requests of respondents which may arise during the data collection.
Technical security up-to-date
In all our dealings we use top-notch suppliers, which in turn base their services on well-known and acknowledged cloud providers (mostly Amazon Web Services, Google Cloud, Google G Suite for business, Microsoft Azure, and DigitalOcean). The technical details of the security of our sub-processors are available at the aforementioned links (under “where we keep the data”). We also make sure that the data we collect is encrypted in transit, and for each project and client we make sure we fit the demands for the level of security, depending on the context of the project, what information is collected, at what scale, etc.
List of sub-processors
For the various dealings and projects we handle, we may use the following sub-processors:
Alchemer (formerly Surveygizmo)
Amazon (AWS)
Microsoft (Azure)
Google (GCP and/or G Suite for business)
RStudio
Digital Ocean
Cint AB
monday.com
All of which are compliant with GDPR.
In addition, we periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here. Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: [email protected].
Representative within the EU
The obligation for a representative within the union does not apply in our case, since the processing of EU citizens’ data is occasional and does not include a large scale special categories, as defined in the GDPR (Articles 9(1), 10, 27).
However, if any person of interest wishes to contact us, the details of our DPO are available:
Dr. Adi Sarid,
Partner and Head of Data Science and Operations Research Department.
Contact Adi at [email protected], Phone: +972-4-8413030, or in the form at the bottom of this page
Data breaches
We have not experienced data breaches so far. Any case of a data breach involving personal data will be reported to the authorities and to the data subjects it involves.
All our sub-processors are obligated by a data protection addendum to report data breaches that might affect our data.
Your data rights
As a data subject you are entitled to the following rights:
Request access to your personal information that is in our possession and/or requests that we deliver that data to you, update your personal information to keep it accurate, request deletion of your personal data that is in our possession, request that we stop processing any such data, object to profiling or automated decision making that could impact you.
You can exercise all these rights by writing to our DPO via email or in the form at the bottom of this page.
Consent
“Consent” means that a data subject should actively approve the participation and collection of data. This action should be freely given, specific, informed, and revocable.
Consent applies for data controllers. In cases where we act as data controllers, and collect data of EU citizens, we make sure to add to each survey a dedicated privacy policy, which explains the aim of the survey, what details are collected, and so forth.
In any case (even if the survey is not conducted in the EU) we make sure that there is an introductory paragraph that explains the purpose of the survey, and what information is going to be collected. A respondent may request to opt out or not to answer the survey, thus not supplying any information.
Processing of children’s data
If a project requires the processing of children under the age of 16, we make sure that we get confirmation from a legal guardian, for this processing.
We also make sure we are aligned with the ESOMAR and COPPA regarding the surveying of children.
Questions?
For any other questions or inquiries regarding our privacy policy, GDPR compliance, or a request according to GDPR rights – contact us.