Privacy Notice for gfknewron
Last modified: November 2023
- Controller
GfK is a global leader in data analytics and trusted provider of consumer and market intelligence. GfK takes the privacy of our market research participants very seriously and has over 85 years’ experience in the field.GfK GmbH (“GfK”, “we”) is responsible for this privacy notice and is the data controller. GfK is therefore responsible for the processing of personal data that we collect from or about you (“you”, “User”) in the the course of your usage of gfknewron (the “Platform”).
GfK GmbH
Sophie-Germain-Strasse 3-5
90443 Nuremberg
Germany
www.gfk.com
asknewron@gfk.com
GfK regularly reviews this privacy notice and reserves the right to make updates and changes at any time. GfK will inform you of any changes via pop-up notice on the Platform. - Processing of personal data
Personal data is any information about you which can be used to identify you as an individual.
In principle, you are not obliged to provide your personal data. However, if you do not provide your personal data, we may only be able to provide you with limited services or not answer your enquiries. If the processing of your personal data is necessary for the fulfilment of a contract between you and us and you do not provide the required information, we may discontinue our contractual services. In this case, we will notify you in advance.
We do not collect and process and you do not need to provide more or other types of personal data than are necessary to fulfill the respective purposes set forth in this privacy notice. If you do not provide certain personal data we may not be able to provide you with access to the Platform. If we intend to use your personal data that we process for purposes other than communicated in this privacy notice, we will inform you in advance and, in cases where the processing is based on your consent, use your personal data for a different purpose only with your permission.
2.1 Categories of data subjects
Platform Users: employees of GfK’s clients who have purchased licenses for the Platform.
GfK employees: employees of GfK who either manage the Platform as administrators; use the Platform for their job; or access the Platform for purposes of their own professional interest.
Prospective Users: employees of GfK’s clients who have been sent invites to the Platform by existing Platform Users.
2.2 Categories of personal data
2.2.1 User Account Data
• First name and surname
• Email address
• Hashed representation of password
• Client ID (from Salesforce)
• User ID (automatic generation)
• Platform role and permissions
• Date and time of initial Platform registration
• Date and time of latest login
• Login count
• Enablement of multi-factor authentication
2.2.2 User Data
• Company name
• Role (e.g. Manager)
• Career (e.g. Sales)
• Country
• Scope of responsibility (e.g. regional)
• Previous use of point-of-sale data (yes / no)
• Marketing consent
• Client status (trialist / paying subscriber)
• Client Platform subscription status (active / inactive)
• Client subscribed product(s)
2.2.3 Access Log Data
• Browser type and version
• Device operating system type and version
• IP address
• Device city and country location as inferred from IP address
• 30-day history of access events
2.2.4 Platform Usage Data
(A) Amplitude Analytics
• IP address
• Device manufacturer and model
• Device operating system type and version
• Date and time of log-in and log-out
• Login frequency, number of user logins over time
• Duration of visit on a subpage within the Platform
• SMTP-ID
• Browser type
(B) Appcues
• User ID
• Subscription data
• Company
• Device type, OS, browser, browser language
• Newron current page URL, current page title
• Newron last page URL, last page title
(C) Hotjar
• IP address (stored in a de-identified format)
• Browser type
• Referrer URL and domain
• Preferred Platform language
• Device screen resolution
• Device manufacturer and model
• Device operating system type and version
• Device geographic (country) location
• Mouse events (movements, location, clicks)
• Keypresses
• Pages visited
• Date and time of accessed pages
(D) Twilio SendGrid
• Email address
• First name
2.2.5 Prospective User Account Data
• Email address
• Client ID
• Platform permissions
• Date and time of invitation sent to the Prospective User
• Auth0ID of existing Platform User that initiated invitation to Platform
2.3 Processing Activities and Purposes, Legal Basis
We process your personal data to enable your use of the Platform, to provide, administer and maintain the Platform, as well as to analyze your use of the Platform to continuously improve the Platform as explained in more detail below.
2.3.1 Processing activity: storing Access Log Data
Purpose: Using our authentication tool, Auth0, we maintain an access log for the purpose of preventing and detecting information security threats, personal data breaches and other disturbance or technical disruptions to the service provided through the Platform.
Legal basis: Legitimate interest.
Categories of Personal Data: Access Log Data
2.3.2 Processing activity: creating User accounts and enabling user log in
Purpose: We require Users to create a User account for us to provide them with access to the Platform, to protect the information provided through the Platform and restrict access to authorized individuals, as well as for the purpose of ensuring the security of the processing of personal data. We use Auth0 to carry out User authentication processes.
Legal basis: Performance of our contract with clients for the provision of the Platform. Legitimate interest to provide the Platform to our own employees.
Categories of personal data: User Account Data, Access Log Data
2.3.4 Processing activity: creating Platform usage analytics
(A) Amplitude Analytics
Purpose: We use Amplitude Analytics to process Platform Usage Data for the purpose of better understanding usage habits, preferences and needs and to continuously improve the Platform and offer the best-possible user experience tailored to our client needs, as well as for the purpose of driving sales and renewals and to provide you with marketing communications which we tailor to your needs.
Legal basis: Our legitimate interest whereas your consent is our legal basis for any marketing communication we send to you.
Categories of Personal Data: Platform Usage Data (A), User Account Data, User Data.
Our selected admins for the Platform (“Platform Admins”) can view data only on a need-to-know basis and define the following specific User actions on the platform (“Events”) which they analyze for the aforementioned purposes:
• Signed in
• Signed out
• Signed up
• Navigation button clicked
• Page viewed
• Page scrolled
• Page element viewed
• Page element clicked
• Filter applied
• Table clicked
• Chart clicked
• Search clicked
• Contact Us clicked
• Email opened
• Email delivered
• Email link clicked
• Email reported as Spam
Our Platform Admins may create User groups (“Cohorts”) for Users which meet pre-defined Cohort criteria (e.g. client company) and transfer the data to Amplitude via API segments to analyze the Events.
(B) Appcues
Purpose: We use Appcues to process Platform Usage Data in order to notify relevant users on updates and disruptions on the Platform. As well as better understand users’ experience and needs to optimise our service and communication about capabilities.
Legal basis: Performance of our contract with clients for the provision of the Platform. Legitimate interest to optimize the users’ experience on the Platform.
Categories of Personal Data: Platform Usage Data (C), User Account Data, User Data.
Using Appcues we analyze the following User actions:
• Page visited
• Link clicked
• Button clicked
• Session pageviews
• Timestamp of the event occurred
Appcues also enables us to make your Platform experience more interactive by implementing features including User guides, dialogues and hotspots. Some elements may be configured to appear for Users meeting certain criteria (e.g. has visited the Platform at least 2 times), however they are never configured to target individual Users. If you do not want to receive these targeted messages you can turn on Do Not Track option in your browser. Please be aware that you then might miss important messaging to you.
(C) Hotjar
Purpose: We use Hotjar to process Platform Usage Data in order to better understand Users’ experience on the Platform and therefore their needs so that we can optimize our service and the Platform experience.
Legal basis: Legitimate interest.
Categories of Personal Data: Platform Usage Data (B), User Account Data, User Data.
Hotjar enables us to analyze data in various ways including aggregated website heatmaps and session recordings.
(D) Statistics for clients
Purpose: We create aggregated statistics from data collected as described above in Sections 2.2.4 (A), (B) and (C) for the purpose of providing our clients with insights on their Users usage of the Platform.
Legal basis: Our legitimate interest or if specifically requested by our clients, the legal basis is the performance of the contract.
Statistics provided to client companies do not reveal an individual Users’ identity.
2.3.5 Processing activity: creating tickets and enabling feedback
Purpose: We process our User’s personal data to provide them with technical and specialist support via our support ticketing system. We also process personal data in order to process feedback that Users give us in connection with their experience of the Platform.
Categories of Personal Data:
Ticketing: User Account Data, other personal data if and to the extent the User’s write a problem description or question or include optional attachments that may include other personal data.
Feedback: User Account Data, other personal data if and to the extent the User’s write a feedback message or include optional attachments that may include other personal data.
Legal basis: Our legitimate interest in providing support and enabling feedback for the Platform.
Our software provider for the data input is Qualtrics and we use Salesforce and Jira (hosted in the EU on GfK servers) to process the tickets. The processing of a ticket may involve the collation of your personal data with information (potentially including other personal data) about other interactions you have had with us. These interactions may include different GfK services and provide us with a background (e.g. about our prior technical support or your prior requests) which assists us to tailor our support and to enhance the overall User experience on the Platform.
2.3.6 Processing activity: analyzing Platform adoption
Purpose: We process personal data for the purpose of analyzing the adoption (frequency of use) of the Platform in order to drive product adoption, support Users in gaining the maximum benefit from the Platform and enable us to identify Users who may require assistance in using the Platform.
Categories of Personal Data: User Account Data, User Data (specifically: email address, client ID, Platform role and permissions, date and time of initial Platform registration, date and time of latest login, login count; company name, role, career, country).
Legal basis: legitimate interest and where applicable for certain marketing purposes, your consent
We export the aforementioned personal data and combine this using Microsoft Power BI. Actions taken by our Customer Success Managers and Account Managers on the basis of Power BI analyses may include contacting a User via email to offer Platform support or provide information about the Platform; or sending marketing communications to Users.
2.3.7 Processing activity: Storing Prospective User invitations
Purpose: Only on the occasion where a user invitation was sent by existing Platform Users, we will store the invitation details, for the purpose of providing better support onboarding Prospective Users to the Platform to become Platform Users. This information is stored for the time the invitations are valid for and deleted thereafter.
2.3.8 Processing activity: Sending transactional email to Users
Purpose: We send transactional emails to Users to update them about new activities on their User account (e.g. new uploaded data sets, received messages from other Users).
Categories of Personal Data: User Account Data, User Data
Legal basis: Performance of our contract with clients for the provision of the Platform. Legitimate interest to provide the Platform to our own employees.
2.4 Recipients and transfers
2.4.1 GfK Group
GfK may transfer your personal data to other legal entities within the GfK Group (including outside the European Economic Area) as needed for data processing and storage, providing you with access to our services, providing customer support, making decisions about service improvements, content development and for other purposes as described in this privacy notice. GfK Group’s legal entities have entered into intercompany data protection agreements using standard contractual clauses adopted by the European Commission to safeguard your privacy and legitimize international data transfers.
2.4.2 Third parties
Where necessary, we will commission other third parties to perform certain tasks on our behalf contributing to our services. We enter into data processing agreements with such parties to regulate the data processing activities.
GfK transfers your personal data to the following third-party recipients within the European Economic Area:
Hotjar Limited, located in Malta who acts as a processor.
Further information: https://www.hotjar.com/legal/policies/privacy/
Qualtrics, LLC with servers located in Germany and Ireland who acts as a processor.
Further information: https://www.qualtrics.com/privacy-statement/
Please note that the following transfers to third-party recipients outside the European Economic Area take place:
Amplitude, Inc. located in the United States of America who acts as a processor. Applicable safeguard: Standard Contractual Clauses
Further information: https://amplitude.com/privacy#cookies
Auth0, Inc. located in the United States of America who acts as a processor. Applicable safeguard: Standard Contractual Clauses
Further information: https://auth0.com/privacy
Appcues, Inc. located in the United States of America who acts as a processor. Applicable safeguard: Standard Contractual Clauses
Further information: https://www.appcues.com/privacy
HubSpot, Inc. located in the United States of America who acts as a processor. Applicable safeguard: Standard Contractual Clauses
Further information: https://legal.hubspot.com/privacy-policy
Microsoft Corporation located in the United States of America who acts as a processor by providing cloud hosting services for the Platform. Applicable safeguard: Standard Contractual Clauses
Further information: https://privacy.microsoft.com/en-us/privacystatement
salesforce.com, inc. located in the United States of America who acts as a processor. Applicable safeguards: Standard Contractual Clauses, Binding Corporate Rules
Further information: https://www.salesforce.com/company/privacy/
Twilio Inc., located in the United States of America who acts as a processor. Applicable safeguard: Standard Contractual Clauses
Further information: https://www.twilio.com/legal/privacy
Further to the above, please note that in certain situations GfK may be required by law to disclose your personal data to public bodies. For example, this may include responding to requests from courts, law enforcement agencies, regulatory agencies or other public/government authorities, which may include public bodies located outside your country of residence.
Please contact dpo@gfk.com to obtain a copy of our transfer mechanisms.
2.5 Retention
In general, we will delete the personal data we collected from you if they are no longer necessary to achieve the purposes for which they were originally collected. However, we may be required to store your personal data for a longer period due to statutory provisions.
Your User Account Data, User Data will be retained for the duration of your User authorization, namely until we are notified via email to platform@gfk.com that you are no longer authorized, and your User account should be deleted. Your User Account and User Data will then be deleted without undue delay
Your Access Log Data in Auth0 is retained for 30 days.
All other categories of personal data will be retained for as long as necessary to achieve the purposes set out above but in any case, only for a maximum of 2 years. Afterwards this personal data will be either deleted or anonymized. - Cookies
The Platform uses cookies and other technologies (e.g. pixels, scripts) (together “Cookies”). Cookies are e.g. small data files that are placed on your computer or mobile device when you visit our Platform. Cookies serve different purposes, like helping us to understand how you use the Platform, letting you navigate between pages efficiently, helping us remember your preferences and generally improving your browsing experiences.
We use first- and third-party Cookies. First-party Cookies come from our Platform and send information only to us; third-party Cookies are placed on our Platform by third parties and send information about your device to other companies to analyse how you are using our Platform. We use session Cookies, which are only stored for individual online sessions and are deleted when you close your browser; and persistent Cookies, which are deleted when they reach their expiry date or are deleted by the user.
We use Cookies for the following purposes:
“Performance Cookies”: these Cookies enable us to count visits and traffic sources so we can measure and improve the performance of our Platform. They help us to know, for example, which pages are the most and least popular or if you receive error messages on the Platform. Any analytics conducted on the basis of this information is aggregated.
“Functional Cookies”: These Cookies enable us to provide enhanced functionality and personalization of the Platform. They ensure your site preferences (e.g. settings or filters) are maintained and help us to incorporate services into the Platform that may involve third-party providers. Any analytics conducted on the basis of this information is aggregated.
Advertising Cookies”: These Cookies help us to better analyze the impact of our website and your interests, e.g. to show you personalized advertising or put other content on our or other websites. These may be displayed on our website or on third-party websites. In particular, the Cookie collects information about your browsing activities in order to understand which topics are relevant to you.
“Strictly Necessary Cookies”: These Cookies are necessary for the Platform to function and cannot be disabled in our systems. They are usually only set in response to actions made by you such as setting your cookie preferences, logging in or filling in forms. You can set your browser to block these cookies, but then some parts of the website will not work.
We place Strictly Necessary Cookies in order to provide you with a tele media service or other equivalent information society service expressly requested by you. The subsequent processing of Strictly Necessary Cookies is based on our legitimate interest to provide you with a technically optimized, user-friendly and appropriate website or your consent (as applicable). We use other Cookies only with your prior and express consent. Where we rely on consent, you can withdraw your consent at any time with effect for the future, e.g. by managing your Cookie settings under the Cookie preference centre or by contacting us at dpo@gfk.com.
A list of Cookies used by our website can be found in the following:
Performance
| Cookie Subgroup | Cookies | Cookies used | Lifespan |
| gfk.com | __tld__, _hjAbsoluteSessionInProgress, _hjFirstSeen, _hjSession_2440728, _hjSessionUser_2440728, _hjTLDTest, ajs_anonymous_id, ajs_group_id, ajs_user_id, amplitude_id_*, amplitude_id_xxxxxxxxxxxxxxxxxxxxx, amplitude_idundefinedgfk.com, amplitude_testgfk.com, apt.sid, apt.temp-*, apt.uid | First Party | Session, A few seconds, A few seconds, A few seconds, 364 Days, Session, 365 Days, A few seconds, A few seconds, 3649 Days, 3649 Days, Session, Session, A few seconds, A few seconds, 364 Days |
| platform.gfk.com | _hssc, _hssrc, _hstc, _hjIncludedInPageviewSample, _hjIncludedInSessionSample, amplitude_cookie_tst, hubspotutk | First Party | A few seconds, Session, 389 Days, A few seconds, A few seconds, Session, 389 Days |
| hubspot.com | _cf_bm | Third Party | A few seconds |
| js.hs-analytics.net | _hssc, _hssrc, _hstc, hubspotutk | Third Party | A few seconds, Session, 389 Days, 389 Days |
| js.hs-banner.com | _hssc, _hssrc, _hstc, hubspotutk | Third Party | A few seconds, Session, 179 Days, 179 Days |
Functional
| Cookie Subgroup | Cookies | Cookies used | Lifespan |
| gfk.com | apt.temp-xxxxxxxxxxxxxxxxxxxxxxx | First Party | A few seconds |
Advertising
| Cookie Subgroup | Cookies | Cookies Used | Lifespan |
| siteintercept.qualtrics.com | cookietest, QSI_SI_1RiXvYFIgUJdnL0_intercept | Third Party | Session, A few seconds |
Strictly Necessary
| Cookie Subgroup | Cookies | Cookies used | Lifespan |
| login.microsoftonline.com | SignInStateCookie, x-ms-gateway-slice, x-ms-RefreshTokenCredential | First Party | Session, Session, Session, |
| login.microsoftonlin.com | buid, CCState, ch ESTSAUTH, ESTSAUTHLIGHT, ESTSAUTHPERSISTENT, ESTSSC, fpc, stsservicecookie | First Party | Session, 3 Days, 90 Days, Session, Session, 90 Days, Session, 30 Days, Session |
| .appcues.com | apc_next_content_id | First Party | A few seconds |
| platform.gfk.com | _legacy_auth0.is.authenticated, auth0.is.authenticated, cokkietest, OptanonAlertBoxClosed, OptanonConsent | First Party | A few seconds, A few seconds, Session, 364 Days, 364 Days |
| www.gfk.com | _cfruid | First Party | Session |
| siteintercept.qualtrics.com | QSI_SI_5Ayex0lS5Zjr3sW_intercept, QSI_SI_b3YoNh4TOiMFDF4_intercept | Third Party | A few seconds, A few seconds |
| cdn.auth0.com | com.auth0.auth | Third Party | A few seconds |
| auth.gfk.com | _cf_bm, _csrf, auth0, auth0_compat, did, did_compat | Third Party | A few seconds, 10 Days, 1 Day, 1 Day, 364 Days, 364 Days |
4. Your Rights
You have the following rights in relation to your personal data:
- right of access and right to receive a copy of your personal data, Art. 15 GDPR
- right of rectification, Art. 16 GDPR
- right to erasure (“right to be forgotten”), Art. 17 GDPR
- right to restriction of processing, Art. 18 GDPR
- right to data portability, Art. 20 GDPR
Further, you have the right to object to the processing of your personal data for direct marketing purposes at any time.
Withdrawal of consent: You can withdraw consent at any time with effect for the future by contacting us at dpo@gfk.com or using the contact information in section 1.
Right to lodge a complaint: In the event of a (suspected) breach of applicable data protection laws, you may lodge a complaint with the supervisory authority.We do not make decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you (Art. 22 GDPR).
Processing Time: We will comply with your request without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months if necessary, considering the complexity and number of requests. GfK will inform you of any such extension, together with the reasons for the delay, within one month of receipt of the request. This does not apply to right to withdraw consent, which we implement without delay within our statutory obligation.
5 Data protection officer
The Data Protection Officer of GfK GmbH can be contacted at dpo@gfk.com.