Insight Angels Data Protection Statement

INSIGHT ANGELS LTD

DATA PROTECTION & PRIVACY POLICY

Last Updated On 10-Jan-2024

Effective Date 25-May-2018

1. Introduction

Insight Angels Ltd (hereafter referred to as Insight Angels) is an independent research and insight consultancy. We work with businesses to help them better understand their customers through conducting market research or analysing data which already exists within their business.

As part of its social responsibility, Insight Angels is committed to compliance with data protection laws, regulation and rules. This Policy adopts the fundamental principles of the EU’s General Data Protection Regulation (“GDPR”) as the minimum standard to which Insight Angels, its employees and suppliers will have to adhere.

Insight Angels depends on the collection and analysis of information about living individuals (“Data Subjects”) to carry out its market research and associated business. Maintaining respondents’ and the public’s confidence requires that respondents do not suffer direct adverse consequences, risk or harm as a result of providing Insight Angels with their information or their Personal Data being processed for Insight Angels’ business purposes. The information may be obtained from any kind of individual or organisation.

To conduct its business, Insight Angels also needs to collect and process certain types of information about people with whom Insight Angels deals. These include current, past and prospective employees, suppliers, clients and others with whom it might communicate. In addition, Insight Angels may occasionally be required by law to process certain types of Personal Data to comply with the certain legal requirements.

This Policy describes the minimum standards of how Personal Data must be processed, collected, handled and stored to meet Insight Angels’ data protection standards. Data Users are obliged to comply with this Policy when processing Personal Data on Insight Angels’ behalf. Any breach of this Policy may result in disciplinary action, up to and including dismissal from Insight Angels.

2. Scope

Within Insight Angels, this Policy will form the minimum standard to which all Insight Angels employees and suppliers have to adhere, regardless of whether GDPR directly applies to any specific activity or territory.

Everyone who works for Insight Angels has some responsibility for ensuring Personal Data are collected, stored and handled appropriately. It is everyone’s responsibility that Personal Data are handled and processed in line with this Policy and its data protection principles.

Insight Angels also expects that its suppliers/vendors comply with the principles as set out herein.

3. Application of National Laws and Codes of Conduct

This Data Protection Policy adopts the internationally accepted privacy principles as enhanced by the GDPR. It is subsidiary to and supplements any applicable national legislation. The relevant national laws will take precedence if there is a conflict with this Policy or it has stricter requirements than this Policy. Any registration, notification or reporting requirement for data processing under national laws must be observed. The contents of this Policy must also be observed in the absence of corresponding national legislation.

4. Principles For Processing Personal Data

All Personal Data must be dealt with properly, irrespective of how they are collected, recorded and processed - whether on paper, in a computer file, database, or recorded on other material. Insight Angels regards the lawful and correct treatment of Personal Data and maintaining the confidence of those with whom it deals as a vital component of its business operations and is committed to act ethically and responsibly in respect of these Personal Data and to always provide a high degree of confidentiality and security. To demonstrate these commitments, Insight Angels adheres to the principles relating to the processing of Personal Data found in the GDPR.

Insight Angels respects the following principles, (explained in more detail later) concerning Personal Data, which are that:

Processed fairly and lawfully;

Processed for limited purposes and in an appropriate way;

Adequate, relevant and not excessive for the purpose;

Accurate;

Not kept longer than necessary for the purpose;

Processed in line with Data Subjects' rights;

Secure;

Not transferred to people or organisations situated in other countries without adequate protection.

4.1 Lawfulness, Fairness and Transparency - Personal Data must be processed and collected lawfully, fairly and in a transparent manner in relation to the Data Subject. Furthermore, Data Subjects must be informed of how his/her data are being handled. In general, Personal Data must be collected directly from the individual concerned. Where this is not the case the legal basis on which the processing is nevertheless justified must be documented. The DPO has to be consulted on whether a Data Protection Impact Assessment (DPIA) must be conducted.

4.2 Purpose Limitation - Personal Data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Subsequent changes to the purpose are only possible to a limited extent and require substantiation and validation. The DPO has to be consulted on whether a Data Protection Impact Assessment (DPIA) must be conducted.

4.3 Data Minimisation - Personal Data must be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed. It must be determined whether and to what extent the processing of Personal Data is necessary to achieve the purpose for which the processing is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised data must be used instead of Personal Data.

4.4 Accuracy - Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard for the purpose for which they are processed, are erased or rectified without delay.

4.5 Storage Limitation - Personal Data must not be retained in a form which permits identification of Data Subjects for longer than is necessary for the purpose for which the Personal Data are processed. Insight Angels will not keep Personal Data longer than is necessary for the purpose or purposes for which they were collected. Insight Angels will take all reasonable steps to destroy, or erase from its systems, all Personal Data which are no longer required.

4.6 Integrity and Confidentiality - Personal Data must be processed in a manner that ensures appropriate security of the Personal Data from being revealed, disseminated, accessed or manipulated. Therefore, where methodologically possible and the expense is not disproportionate to the Data Subject’s risks, pseudonymised data must be used for the processing.

4.7 Restriction on Transfers - Personal Data must not be transferred to other countries that do not offer an adequate level of protection. Insight Angels has introduced various measures to adduce such adequate level of protection on a general basis (see also paragraph 6 for more detail), however, various countries may have further and/or different requirements that must be adhered to.

4.8 General Measures and Considerations - Additionally in respect of its market research business Insight Angels complies with the MRS (Market Research Society) Code of Conduct.

5. Legal Grounds for Data Processing

Insight Angels will be collecting, processing and using Personal Data only under the following legal bases, always provided that such legal basis exists under applicable national law. One of these legal bases is also required if the purpose of collecting, processing and using the Personal Data is to be changed from the original purpose, unless there is clear compatibility between the original purpose and the new purpose. See also paragraph 4.2 and any potential additional compliance requirements.

5.1 Respondent Data - Respondents may be Data Subjects in Insight Angels’ business.

5.1.1 Consent to Data Processing - Personal Data can be processed following consent by the Data Subject. Before giving consent, the Data Subject must be informed in accordance with the transparency principle as set out under paragraph 4.1. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone interviews, consent can be given verbally. In all cases, the granting of consent must be documented. Any consent will only be valid if it constitutes a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which it giving a statement or by a clear affirmative action, signifies agreement to the processing of the Personal Data relating to him/her.

5.1.2 Data Processing for a Contractual Relationship - Apart from consent, their Personal Data may be processed where this is necessary in the context of a contract to which such Data Subjects is a party, to fulfil relevant obligations and rights. This applies also where such processing is necessary in order to establish or terminate a contract.

5.1.3 Data Processing Pursuant to Legal Authorisation - The processing of Personal Data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorised data processing activity and must comply with the relevant statutory provisions.

5.1.4 Data Processing Pursuant to Legitimate Interest - Personal Data can also be processed if it is necessary for the legitimate interests of Insight Angels and where national legislation provides for this basis (e.g. GDPR Article 6(1)(f)). The legal basis of legitimate interest for processing is not recognised in every country, and relevant national legislation will take precedence. Generally, special categories of Personal Data may not be processed on the basis of legitimate interest. In any event, Personal Data may not be processed on the basis of a legitimate interest if, in the individual case, there is evidence that the interests of the Data Subject merit protection and that this protection takes precedence. Before Personal Data are processed on the legitimate interest basis, it is necessary to determine whether there is an interest that merits protection, and whether a legitimate interest assessment (in the form of a DPIA with a particular focus on the legitimate interest) needs to be conducted by Insight Angels. Any such assessment has to be validated by the DPO.

5.1.5 Processing of Special Categories of Personal Data - Special categories of Personal Data can be processed only if the law requires this or the Data Subject has given his/her explicit consent. Special categories of Personal Data can also be processed if it is mandatory for asserting, exercising or defending legal claims. Within the EEA, special categories of Personal Data may also be processed for scientific and historical research and for statistical purposes (Article 9(2)(j)), subject to appropriate additional measures. Before relying on this provision, the advice of the DPO must be obtained.

5.1.6 User Data and Internet - If Personal Data are collected, processed and used on websites or in apps, the Data Subject must be informed of this in a privacy statement including, if applicable, information about cookies or similar technical measures. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible, easily understandable and consistently available by and for the Data Subject. If use profiles (tracking) are created to evaluate the use of websites and apps, the Data Subjects must always be informed accordingly in the privacy statement. Tracking of Data Subjects online may only be affected if it is permitted under national law or upon explicit consent of the Data Subjects. Even if tracking uses a pseudonym for the Data Subject, the Data Subject should be given the chance to opt out in the privacy statement. If websites or apps can access Personal Data in an area restricted to registered users/respondents, the identification and authentication of the Data Subject must offer sufficient protection during access.

5.2 Personal Data Provided by Clients - Transmission of Personal Data to Insight Angels by its clients may happen, for example to provide us with sample or to enhance existing sample. In respect of any Personal Data so received, Insight Angels will be the Processor and may only Process these Personal Data in accordance with the instructions agreed with or received from the client. These instructions may include restrictions on transfers to other parties or transfers to other countries as well as specific security requirements. Any such restrictions must be complied with. It is imperative that such instructions are documented in writing and agreed before any relevant contractual arrangements are accepted by Insight Angels, to ensure that Insight Angels is able to comply with any client specific restrictions or requirements. Irrespective of any client requirements, any Personal Data provided by a client may only be:

Processed for the purpose they were provided for;

Not be kept for longer than is required for the purpose;

Subject to the same security requirements applicable to Insight Angels’ own Personal Data.

5.3 Employee Data

5.3.1 Data Processing for the Employment Relationship - In employment relationships, Personal Data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicant’s Personal Data can be processed. If the candidate is rejected his/her data must be deleted in observance with the required retention period unless the applicant has agreed to remain on file for a future selection process. In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorised data processing apply. If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws must be observed. In cases of doubt, consent must be obtained from the Data Subjects. There must be legal authorisation to process Personal Data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee or the legitimate interest of the company.

5.3.2 Data Processing Pursuant to Legal Authorisation - Please see above at paragraph 5.1.3 for the further requirements.

5.3.3 Collective Agreements on Data Processing - If a data processing activity exceeds the purposes for fulfilling a contract, it may be permissible if authorised through a collective agreement between the employer and employee representatives, within the scope allowed under the relevant employment law. The agreements must cover the specific purpose of the intended further data-processing activity and must be drawn up within the parameters of national data protection and employment legislation.

5.3.4 Consent to Data Processing - Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Within the EU/European Economic Area, consent generally does not constitute a valid legal basis for the processing in the employment context as there is a legal presumption that such consent was not submitted voluntarily and any processing will have to rely on one of the other legal bases available. Involuntary consent is void. To the extent that consent is a valid basis for processing, please see above at paragraph 5.1.1 for the further requirements. A further complication is that consent can normally be withdrawn, thereby preventing any further processing.

5.3.5 Data Processing Pursuant to Legitimate Interest - Personal Data may also be processed if it is necessary to enforce a legitimate interest of Insight Angels, where the applicable law allows for the processing of Personal Data based on a legitimate interest. Within the employment context, legitimate interests are generally of a legal or financial nature. Please see above at paragraph 5.1.4 for the further requirements and limitations of legitimate interest. Control or supervisory measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measures must also be examined before such measures are applied. The justified interests of the company in performing the control measure (e.g. compliance with internal company rules or security interests) must be weighed against any interest meriting protection that the employee affected by the measure may have in its exclusion and the measure cannot be performed unless found to be appropriate. The legitimate interests of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken by way of a legitimate interest assessment. Moreover, any additional requirements under national law (e.g. rights of codetermination for the employee representatives and information rights of the Data Subjects) must be taken into account.

5.3.6 Processing of Special Categories of Personal Data - Special categories of Personal Data can be processed only if the law requires this or the Data Subjects has given his/her explicit consent. These data can also be processed if it is mandatory for asserting, exercising or defending legal claims.

5.3.7 Automated Decisions - If Personal Data are processed automatically as part of the employment relationship and specific personal details are evaluated for decision making (e.g. as part of personnel selection process or the evaluation of scores), this automatic processing cannot be the sole basis for decisions that would have negative consequences or create significant problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluate the content of the situation, and that this evaluation is the basis for the decision. The Data Subjects must also be informed of the facts and results of automated individual decisions and the possibility to respond.

5.3.8 Telecommunications and Internet - Telephone equipment, email addresses and online services are provided by Insight Angels primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies. In the event of authorised use for private purposes, the law on secrecy of telecommunications in the relevant national telecommunication laws must be observed, if applicable. For security reasons, the use of telephone equipment, email addresses and online services can be locked permanently or on a temporary basis for individual addresses/locations or connection types.

5.4 Marketing Contacts - Generally marketing contacts are no different than respondents in respect of the privacy protections accorded to them. Their contact details constitute Personal Data, even if they are business related. Only if the contact details are truly generic like “contact@acme.com”, will they not fall under this Policy. Marketing communications are often subject to specific legal requirements, particularly if they are sent electronically or made by phone. It has to be assumed that marketing contacts have not requested the marketing materials. In other words, the recipients have not asked to receive marketing communications from Insight Angels. To proceed legally, the conditions concerning legal basis, in particular consent requirements set out in paragraph 5.1.1, apply here as well. Exceptionally a 'soft opt-in' can be applied, if the below conditions are met:

Where the Data Subject’s details were obtained in the course of a sale or negotiations for a sale of Insight Angels services;

Where the messages are only marketing similar services; and

Where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in all future messages.

6. Transmission of Personal Data

Transmission of Personal Data to recipients outside or inside Insight Angels is subject to the authorisation requirements for processing Personal Data under paragraph 4.7 Restriction on Transfers. The data recipient (such as a sub-contractor) must be required to use the data only for the defined purposes. For external transfers the requirements of this paragraph and those of paragraph 7 Outsourced/Third Party Data Processing apply cumulatively. If Personal Data are transmitted to a recipient outside Insight Angels to a third country, this recipient must agree in writing to maintain a data protection level equivalent to this Data Protection Policy or as required under applicable law. For example, the GDPR stipulates various requirements that must be complied with, before any transfer may occur. In the alternative, the laws of the domiciliary country of Insight Angels may acknowledge the purpose of data transmission based on the legal obligations of a third country. Where Personal Data are transmitted by third party (like a sample supplier) to Insight Angels, it must be ensured that the Personal Data can be used for the intended purpose. Any transfer of Personal Data within Insight Angels shall only be made after a relevant DPIA has been made.

7. Outsourced/Third Party Data Processing

In some cases, Insight Angels may use external providers to process Personal Data. In these cases, an agreement on data processing on behalf of Insight Angels must be concluded with such provider. This can be done either by way of including appropriate provisions in the agreement governing the overall relationship with the provider or in a separate and specific document. In respect of processing on behalf of Insight Angels, the provider may only process the Personal Data as per the instructions from Insight Angels. When instructing a provider, the following requirements must be complied with:

Where the Personal Data in question fall under paragraph 5.2 (client data), any relevant client requirements need to be passed down to the provider. The provider must be chosen based on its ability to cover the required technical and organisational protective measures and in line with Insight Angels’ supplier approval process. The provider must not subcontract the processing further without Insight Angels’ prior written consent. The instructions must be placed in writing by way of an appropriate contract. The instructions on data processing and the responsibilities of Insight Angels and provider must be documented.

Before the data processing begins, Insight Angels must be confident that the provider will comply with its duties. A provider can document its compliance with data security requirements in particular by presenting suitable certification. Depending on the risk of data processing, the reviews must be repeated on a regular basis during the term of the contract. Insight Angels should retain the right to audit the provider’s compliance.

In the event of cross-border contract data processing, the relevant national requirements for disclosing Personal Data abroad must be met. In particular, the Personal Data from the European Economic Area can be processed in a third country only if the provider can prove that it has a data protection standard equivalent to the GDPR and this Data Protection Policy. Suitable tools can be:

An agreement based on EU standard contract clauses for contract data processing in third countries with the provider. Similar agreements will be required for any subcontractor of the provider;

Participation of the provider in a certification system accredited by the EU for the provision of a sufficient data protection level.

8. Rights of the Data Subject

Every Data Subject has the following rights. Their request is to be handled immediately by Insight Angels and may not result in any disadvantage to the Data Subject. Where the relevant Personal Data are being processed by Insight Angels under paragraph 5.2 Personal Data Provided by Clients, the relevant client contract must be consulted in respect of any process to be followed and the client has to be informed about such request immediately.

Right of access: The Data Subjects may request information on how Personal Data relating to him/her have been stored, how the data were collected and for what purpose. If Personal Data are transmitted to 3rd parties, information must be given about the identity of the recipient or the categories of recipients.

Right to rectification: If Personal Data are incorrect or incomplete, the Data Subject can demand that they are corrected or supplemented.

Right to withdraw consent: Where the Personal Data are processed on the basis of Consent (see also the separate guidance on Consent), the Data Subjects can object to the processing at any time. These Personal Data must be blocked from the processing that has been objected to.

Right to erasure: The Data Subject may request his or her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.

Right to object: The Data Subjects generally has a right to object to his/her data being processed and this must be taken into account if the protection of his/her interest takes precedence over the interests of the data controller owing to the particular personal situation. This does not apply if a legal provision requires that the Personal Data are data to be processed.

Right to data portability: The Data Subject has the right to request for the Personal Data provided by him/her to be made available to the Data Subject in a easily readable format, like a Word or Excel document.

9. Confidentiality of Processing

Personal Data are subject to data secrecy. Any unauthorised collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is unauthorised. The “need-to-know” principle applies. Employees may have access to Personal Data only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as in limitation, of roles and responsibilities. Furthermore, the requirements of the Information Management Policy apply. Employees are forbidden to use Personal Data for their own private or commercial purposes, to disclose them to unauthorised persons, or to make them available in any other way. Supervisors must inform the employees at the start of the employment relationship about the obligation to maintain data secrecy. This obligation shall remain in force even after employment has ended. The employment agreements with Insight Angels staff must contain appropriate confidentiality obligations.

10. Privacy by Design and Default

Insight Angels will use a Privacy by Design and Default approach in all its work, but in particular when: building new IT systems for storing or accessing personal data; developing new applications or research approaches; embarking on a data sharing initiative; or using data for new purposes. Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. It is a key consideration in the early stages of any project, and then throughout its lifecycle. Taking a privacy by design approach is an essential tool in minimising privacy risks. Building trust when designing projects, processes, products or systems, with privacy in mind from the outset.

11. Processing Security

Personal Data must be safeguarded from unauthorised access or disclosure (whether caused internally or externally), unlawful processing as well as accidental loss, modification or destruction. This applies regardless of whether the data is processed electronically or in paper form. Apart from securing existing Personal Data in line with Insight Angels’ relevant policies, before the introduction of new methods of data processing, particular new IT systems or research approaches, technical or organisational measures to protect Personal Data must be defined and implemented. These measures must be based on the state of the art, the risk of processing and the need to protect the data. These technical and organisational measures should be agreed in consultation with the relevant Information Security Officer and DPO. The technical and organisational measures for protecting Personal Data are part of the Corporate Information Security management and must be adjusted continuously to technical development and advancement as well as organisational changes. As a minimum, Insight Angels will process all Personal Data it holds in accordance with its Security Policy and take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.

12. Data Protection

Audit Compliance with this Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of the DPO, Internal Audit and/or externally hired auditors. Various Insight Angels clients also have audit rights under their agreements with Insight Angels. The results of the data protection audits must be reported to the DPO. On request, the results of data protection audits will be made available to the responsible data protection authorities.

13. Data Protection Incidents

All employees must inform the DPO immediately about cases of violations of this Data Protection Policy or other regulations on the protection of Personal Data, in accordance with the Personal Data Breach Management Procedure which can also be found in Section 8. Any failure to address serious failings under this Policy can also be reported directly to the company directors. In case of: improper transmission of Personal Data to 3rd parties; improper transmission of Personal Data across borders; improper access, including by third parties, to Personal Data, or loss of Personal Data (including then becoming public due to internal failures) a data protection breach notification must be made immediately to ensure that a) any reporting duties under national law can be complied with, b) any affected client can be informed and c) any stakeholder communication can be managed. Any Data Protection breach will also constitute an information security incident under the IT Incident Management policy.

14. Responsibilities and Sanctions

14.1. Management - The directors of Insight Angels are responsible for data processing. Therefore, they are required to ensure the legal requirements, and those contained in this Data Protection Policy, for data protection are met. Management are responsible for ensuring that organisational, HR and technical measures are in place so that any data processing is carried out in accordance with these data protection requirements. Compliance with these requirements is also the responsibility of the relevant employees. Improper processing of Personal Data, or other violations of the data protection laws, can be criminally prosecuted in many countries and result in claims for compensation of damage. In addition, violations for which individual employees are responsible can lead to sanctions under employment law.

14.2. Data Protection Officer – Insight Angels will be required to appoint a Data Protection Officer (“DPO”). The DPO is the internal and external contact person for data protection. They can perform checks and must familiarise the employees with the contents of this Data Protection Policy and applicable legislation. The main tasks of the DPO are:

To inform and advise the organisation and its employees about their obligations to comply with the applicable data protection laws and this Data Protection Policy;

To monitor compliance with the data protection laws, including managing internal data protection activities, advise (not to conduct) on data protection impact assessments; train staff and conduct internal audits;

To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.);

To report to the highest management level of Insight Angels – i.e. to other board level director(s);

To operate independently of professional orders and not be dismissed or penalised for performing their task;

To be provided with adequate resources to enable the DPO to meet their obligations under the applicable data protection laws and this Data Protection Policy.

15. Derogation

In exceptional cases, it may be possible to obtain a derogation from this Policy, prior to any intended processing of the Personal Data affected. Any such derogation may only be granted following a full data protection impact assessment to establish and assess the risks to any affected Data Subject, legal risks and reputational impact and is subject to approval by the directors of Insight Angels.

16. Glossary

Data Controller/Controller/Joint Controller

This is the person or organisation which determines the purposes for and the manner in which any Personal Data is processed. It is responsible for establishing practices and policies in line with the applicable legal requirements. In most cases where Insight Angels is receiving sample from client, it will be joint controller of the data collected. This extends to the data collected, even where respondents have been assured of the confidentiality of their answers. The responsibilities and obligations of the joint controllers have to be documented and clarified in a written agreement. Some jurisdictions use other expressions for the same concept, like Responsible Person, Organisation, Operator1, etc.

Data Users

These are those of our employees whose work involves processing Personal Data. Data users must protect the data and Personal Data they handle in accordance with this Policy and any applicable data security procedures at all times.

Data processor or Processor

This is the person or organisation that is not a Data User that processes Personal Data on behalf of and on instructions of the Controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle Personal Data.

Insight Angels will variously be a Controller (e.g. in respect of ad-hoc sample Insight Angels recruits for a survey) or a Processor (e.g. in respect of sample provided by clients). Some jurisdictions use other expressions for the same concept, like Third Party, Intermediary, Operator2 etc.

Data Subjects

For the purpose of this Policy, this includes all living individuals about whom Insight Angels holds Personal Data. A Data Subject need not be a country national or resident. All Data Subjects have legal rights in relation to their personal information.

Personal Data

The GDPR’s definition of Personal Data (GDPR Article 4 (1)) makes it clearer what Personal Data are and shows that this must be widely interpreted: "…any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". A natural person is a living individual and the GDPR itself does not apply to deceased individuals. However, individual member states may provide for rules concerning the processing of Personal Data even in respect of deceased persons. Information about a company will not constitute Personal Data. One has to acknowledge that it is not always possible to determine with absolute certainty whether an individual item of information would constitute Personal Data. It will be necessary to look at the overall information held about the person in question or the means reasonably likely to be used to identify a person. With the ever-improving technological means, more data will become Personal Data.

Processing

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Data. Special categories of data (p/k/a personal sensitive data) “Special categories of Personal Data” is the new expression used in the GDPR and was previously referred to as “sensitive data”. This is now defined in Article 9 GDPR as data concerning the: “Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data [see below], biometric data [see below] for the purpose of uniquely identifying a natural person, data concerning health [see below] or data concerning a natural person's sex life or sexual orientation.” For some of these expressions more detailed definitions have been provided in the GDPR:

‘Genetic data’ means Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

‘Biometric data’ means Personal Data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data;

‘Data concerning health’ means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Anonymous Data

This has been defined as information which does not relate to an identified or identifiable natural person or to Personal Data rendered anonymous in such a manner that the Data Subject is not or no longer identifiable (GDPR Recital 26). This must be distinguished from data which, together with the use of additional information (e.g. a key), could be used to identify a natural person, in which case the data would be merely pseudonymised. Pseudonymised data still fall under the definition of Personal Data and full GDPR principles and requirements will still apply to them.

Pseudonymisation

Pseudonymisation means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person. (GDPR Article 4(5)) Pseudonymous data refers to a data from which identifiers in a set of information are replaced with artificial identifiers, or pseudonyms, that are held separately and subject to technical safeguards. Pseudonymised data remain Personal Data and therefore all other data protection requirements continue to apply to them.

PII or Personally Identifiable Information

This term derives from US privacy legislation. Although from a practical perspective applicable to Insight Angels’ day-to-day working, the expressions Personal Data and PII can be treated as synonymous, the use of the expression PII in the context of the GDPR has to be avoided, as it otherwise negatively impacts on our obligation to demonstrate compliance. Regulators are very keen on consistency and accuracy in the use of expressions.

PHI or Protected Health Information

This term also derives from US privacy legislation, in particular HIPPA. Although from a practical perspective applicable to Insight Angels’ day-to-day working the expressions special categories of Personal Data and PII should be treated as synonymous, the use of PII in the context of the GDPR should be avoided. The main issue to be considered here is that a certain Personal Data that would fall under the legal definition of PHI, under the GDPR would constitute Personal Data rather than special categories of data. For example, HIPPA would consider all information in a dataset that were to contain the name and sexual orientation as PHI, whereas the GDPR would only consider the sexual orientation to be part of the special categories of Personal Data.

PSI or Personal Sensitive Information

This expression is now outdated, having derived from previous legislation. This is largely synonymous with “special categories of Personal Data” as defined in GDPR Article 9, and this expression should be used. Regulators will expect Insight Angels to use the correct terminology to demonstrate our compliance as part of our accountability obligation.