This Privacy Notice sets out the data processing practices and policies carried out through the use of the Internet and any other electronic communications networks by Vox Pops International. If you have any requests concerning your personal information or any queries with regard to these practices, please contact the Data Controller at firstname.lastname@example.org or call us on +44 20 8786 8855. Alternatively, you can also write to us at Data Controller, Vox Pops International Fitzalan House, 70 High St. Ewell, Surrey, KT17 1RQ. Please note that all data thus captured will be used and held in accordance with the requirements of the UK Data Protection Act 1998 and GDPR (General Data Protection Regulation) coming into effect from 25th of May 2018.
How we use your information
This privacy notice tells you what to expect when Vox Pops International collects personal information. It applies to information we collect about:
- visitors to our website(s)
- any surveys we conduct
- complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry;
- people who use our services
Visitors to our websites
When someone visits www.voxpops.com we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The table at the end of this policy explains the cookies we use and why.
Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either Vox Pops International or any third party.
Personal Data for Direct Marketing
Vox Pops International conduct B2B direct marketing using personal data sourced from publicly available sources, from companies or organisations themselves and from mailing list provider companies such as Electric Marketing. Such that our B2B communications are compliant with The GDPR, Vox Pops International have conducted a Legitimate Interests Assessment, which ensures that the personal data we process for direct marketing is used in a lawful and compliant manor. You can access our Legitimate Interests Assessment document here.
We will stop processing personal data for direct marketing purposes as soon as we receive an objection at any time and without charge.
We will inform individuals of their right to object at the point of first communication and in our privacy notice, clearly and separately from any other information.
We use Zoho Campaigns, secure cloud-based software, to deliver our monthly e-newsletters. We only process the data of individuals whom can reasonably expect to receive B2B direct marketing from companies such as Vox Pops International. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
Security and performance
Vox Pops International uses a third-party supplier, Fasthosts, to host and maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to the website.
We use a third-party service, WordPress.com, to publish our website and blog, and for some of our portals. The site is hosted on a dedicated secure ISO 27001 compliant server at Fasthosts.com. We use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address.
People who contact us via social media
We use Zoho, our cloud-based CRM to manage our social media interactions. Zoho is a GDPR compliant service provider.
People who call our office
When you call our office, we currently do not record calls however we are considering a new phone system in the future which will do so. If this is the case, we will advise in advance if the call is recorded.
People who email us
We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Right to access data
Individuals have the right to access their personal data and supplementary information which Vox Pops International may hold about them. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Under the General Data Protection Regulation (GDPR), individuals will have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing.
We will provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information based on the administrative cost of providing the information.
Information will be provided without delay and at the latest within 5 working days of receipt.
We may need to extend the period of compliance where requests are complex or numerous. If this is the case, we will inform you within 48 hours of the receipt of the request and explain why the extension is necessary.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we may:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 5 working days.
We will always verify the identity of the person making the request, using ‘reasonable means’.
If the request is made electronically, we will provide the information in a commonly used electronic format.
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. Vox Pops currently does not offer this facility however we are exploring options for the future.
Where we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to.
The GDPR does not include an exemption for requests that relate to large amounts of data, but we may need to consider whether the request is manifestly unfounded or excessive.
Right to withdraw consent
We will fully respect and act on any request to withdraw consent within 48 hours of such request. We will then confirm once the data has been removed and deleted or destroyed.
Right to object to processing
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Individuals must have an objection on “grounds relating to his or her particular situation”.
We will stop processing the personal data unless:
- There are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual;
- or the processing is for the establishment, exercise or defence of legal claims.
We will inform individuals of their right to object “at the point of first communication” and in our privacy notice.
This will be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
Personal Data for Research Purposes
Individuals must have grounds relating to his or her particular situation in order to exercise their right to object to processing for research purposes. If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing, however in most cases, we will respect any such objection.
Who will administer incentives
Incentives will be administered by a staff member or representative on behalf of Vox Pops International. An acknowledgement of receipt of the incentive may be required through the signing of a release form stating the purpose of the research and how your data will be used and which will be confirmed prior to the research taking place.
Details of any international data transfer to 3rd countries
We do not anticipate transferring data to countries outside of the EU except in those instances where we are conducting work outside of the EU on behalf of a UK client or conducting work in the UK on behalf of a client based outside of the EU. In these instances, GDPR regulations may not apply or if so, an exception may be made and confirmed in advance with the client.
Data retention period & criteria for retention
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
When we are supplied with customer data by a client in order to carry out research on their behalf, we will retain this data securely for up to five years. The data will be logged in a register and on or around the five-year anniversary date of the logging of the data, it will be reviewed and unless there is good reason for its’ retention, it will be destroyed.
Although most consumer data featuring in videos which we produce is anonymised, in some cases it may not be. We will be logging the completion date of all of our video productions and on or around the five-year anniversary of the production of the video, the video will be reviewed and unless there is good reason for its’ retention, it will be destroyed.
Right to lodge complaint with supervisory authority
Every data subject has the right to lodge a complaint with a supervisory authority such as the Information Commissioners Office (ICO) or the European Data Protection Supervisor (EDPS). alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Right to port data
The company will respect the right to port data to allow individuals to obtain and reuse their personal data for their own purposes across different services.
Right to erasure of personal data
The company will normally fully respect the right for individuals to have personal data which the company holds, erased. Requests for erasure may be made verbally or in writing and will be acted on within 5 working days of receipt of the request. If there is any reason why the data cannot be erased, this will be communicated to the individual with 5 working days of the request for the erasure.
Right to rectify data held
Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete. Requests for rectification made be made verbally or in writing and the company will action any such request within 5 working days of the request.
People who make a complaint to us
When we receive a complaint from a person we will make up a file containing the details of the complaint. This will contain the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for five years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
People who use Vox Pops Internationals services
Vox Pops offers various services to the business sector.
We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. When people do subscribe to any of our newsletters or information, they can cancel their subscription at any time and are given an easy way of doing this.
Service providers reporting a breach
Public electronic communications service providers are required by law to report any security breaches involving personal data to the ICO.
We provide an online form for this purpose, hosted by Egress. We use the data collected by the form to record the breach, to make decisions about the action we may take, and as relevant in order to carry out those actions. We retain personal information only for as long as necessary to carry out these functions, and in line with our retention schedule. This means that logs and breach reports will be retained for five years from receipt, and longer where this information leads to regulatory action being taken. We retain de-personalised information about organisations for as long as is necessary to help inform future actions, but no individuals are identifiable from that data.
The ICO and Egress have measures in place to ensure the security of data collected and transferred to the ICO via this form. Egress is a data processor for the ICO and only processes personal information in line with our instructions.
Use of data processors
Data processors are third parties who provide elements of our recruitment service for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you.
Complaints or queries
Vox Pops International tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This privacy notice provides general details of Vox Pops collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
If you want to make a complaint about the way we have processed your personal information, you can contact us in
Access to personal information
Vox Pops International tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you, we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request for any personal information we may hold you need to put the request in writing to the address provided below.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes.
Disclosure of personal information
We will not disclose personal data without consent and we do not share our data with any outside organisations for marketing purposes, and only to carry out our professional services to a client or where processing for the management of that data by a registered, qualified and compliant data processor as may be required for research analysis purposes only.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Changes to this privacy notice
We will conduct regular audits of this privacy notice and our policies and procedures in relation to the management of our data to ensure compliance and good business practice. This privacy notice was last updated on 17 May 2018.
How to contact us