BASES / CI Privacy Services Agreement

The following terms will apply to any disclosure, receipt of or access to any personally identifiable or confidential information or communication of any persons including research participants and NIQ employees, e.g., mystery shoppers (collectively, “PII”) by, from or through NIQ in connection with services performed by NIQ on a project basis, based on client data or information and pertaining solely to Client, such as BASES and Consumer Insights (known as “Custom Services”), including in connection with any recording, transmission, images, live footage, focus groups, subscriber lists, videos or mobile data:

  1. PII. Client agrees that it will treat such PII in accordance with applicable market research guidelines, privacy regulations, and data protection legislation. Without limiting the generality of the foregoing and notwithstanding any provisions to the contrary, Client represents, warrants and agrees that Client will (a) use, permit the use of and/or handle any PII (i) in accordance with all applicable laws, regulations, best industry standards and reasonable security measures, and (ii) solely for Client’s internal research and development related to the product(s) being tested (“Purpose”), (b) disclose PII solely to internal members of Client’s team with the need to use or access PII for the Purpose, (c) not distribute or permit the distribution of PII outside of Client’s internal organization, (d) not sell or transfer PII to any party; (e) not disclose PII to general public, including in connection with advertising, marketing, or legal proceedings, (f) not combine or link PII with any other personal data, use PII in connection with a database, or use PII to ascertain to the identity of individual; (g) delete all PII within six (6) months of receipt, or at any time at NIQ’s choice, and certify to NIQ that it has done so, (h) with regard to California residents, additionally comply with Section 2 below; (i) if Client provides Nielsen with PII for use by Nielsen in connection with performing Services, disclose such PII in conformance with applicable law and any statement or policy that Client provides to such data subjects; and (j) hold harmless NIQ and its affiliates against any breach of any of the foregoing warranties or covenants.
  2. PII of California, USA residents and CPRA. In addition to the obligations set forth herein, with regard to the PII of any California resident, Client will comply with the following:

    Definitions:

    Business Purpose” means Client’s use of PII for internal research and development related to market research being conducted.

    CPRA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.

    Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

    Client will only collect, use, retain, or disclose PII for the Business Purpose.

    Client shall not: (i) sell or share PII, (ii) retain, use, or disclose PII for any purpose other than for the Business Purpose, nor for any commercial purpose, nor (iii) retain, use, or disclose PII outside of the direct business relationship between the Client and NIQ.

    Client shall comply with all applicable sections of the CPRA, including cooperating with NIQ in responding to and complying with consumers’ requests made pursuant to the CPRA, and implementing reasonable security procedures and practices appropriate to the nature of the PII received from, or on behalf of, NIQ to protect the PII from unauthorized or illegal access, destruction, use, modification, or disclosure. NIQ shall inform Client of any consumer request made pursuant to the CPRA that it must comply with and shall provide the information necessary for Client to comply with the request.

    Client shall notify NIQ no later than five (5) business days after it makes a determination that it can no longer meet its obligations under the CPRA.

    NIQ may conduct ongoing manual reviews and automated scans of Client’s system and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.

    Client shall delete all PII within six (6) months of receipt, or at any time at NIQ’s choice, and certify to NIQ that it has done so. NIQ may, upon notice, take reasonable and appropriate steps to stop and remediate Client’s unauthorized use of PII, including requiring Client to provide documentation that verifies that Client no longer retains or uses PII of consumers that have made a valid request to delete with NIQ.

    Client shall not combine PII that Client receives pursuant to Custom Services with any personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer.

    Client certifies that it understands the restrictions set out in this Section (CPRA) and will comply with them.