Data Protection Statement

Data Protection

Insight Statistical Consulting are committed to the privacy and security of your data and fully adheres to the General Data Protection Regulations (GDPR) and the Market Research Society Code of Conduct.  Insight Statistical Consulting is registered with the Data Protection Commissioner as a Data Processor (Ref: 1850/A) and has key responsibilities in relation to the information which we keep on computer or in a structured manual file about individuals.

These responsibilities state that we will:

1. Obtain and process the information fairly
2. Keep information only for one or more specified and lawful purposes
3. Process information only in ways compatible with the purposes for which it was given to us initially
4. Keep information safe and secure
5. Keep information accurate and up-to-date
6. Ensure that information is adequate, relevant and not excessive
7. Retain information no longer than is necessary for the specified purpose or purposes
8. Give a copy of his/her personal data to any individual, on request.

Insight Statistical Consulting (Insight) shall at all times comply with the Data Protection Act 1988 and 2003 (as applicable) (the “Legislation”) and any regulations made under or separate to the Legislation or any other legislation relating to the protection of personal data.

As Data Processors our responsibility as a research agency is to ensure that customer information is stored and handled in a safe and secure manner at all times. When using client lists Insight act as Data Processors.

Customer lists are only used for the intended purpose of the client – the market research project. All customer lists are password protected on our managed IT Services in Microsoft Azure. Soft copies are never stored outside of Azure. If printed, they are stored in a locked filing cabinet when not in use and are disposed of using a shredder. All customer lists are securely deleted from the server within a timeframe agreed with the client.

In the absence of any express instructions to the contrary, all personal data received by Insight from any client shall be retained for as long as is necessary, having consideration to the processing that was carried out, and in any event for no longer than 6 months once such processing ceases and thereafter such data shall be securely deleted and/or destroyed thereafter, whether in electronic or manual format.

Where it is necessary to transfer personal data from one location to another, whether physically or electronically, the necessary information security precautions need to be taken. This includes the use of electronic encryption technology.

Insight utilises a series of Virtual Machines hosted in Microsoft Azure using Windows Server.  Our server can only be accessed by selected Insight staff who have signed a Confidentiality Agreement and abide the Market Research Society Code of Conduct. We have procedures in place to control access to the server and a full system backup is taken every day with 30 days retention (including file level and full system restore facility).  All endpoints are protected by the latest anti-virus softaware and critical system indicators are monitored and maintained using Datto RMM, including patch management.  

Insight will refrain from disclosing personal data to any third parties other than to permitted sub-contractors to whom disclosure is reasonably necessary in order for the us to carry out the Services, provided that in all cases:

1. such disclosure is made subject to written terms substantially the same as the terms contained in this processor agreement;
2. such disclosure has been approved in writing in advance by the client; and
3. upon the request of the client, promptly provide a written description of the technical and organisational measures employed by it and/or any of its permitted sub-contractors, detailed to such a level that the client can determine whether or not, in connection with personal data, the Supplier and its permitted sub-contractors are complying with their obligations under this Agreement. If, in the clients opinion, the measures employed by the Supplier and/or its permitted sub-contractors are not sufficient to ensure compliance with their obligations under this Agreement, the Supplier shall take all steps (or procure that its permitted sub-contractors take all steps) which are reasonably required to ensure that such compliance is achieved;
4. afford to the client (and procure that its permitted sub-contractors afford to the client) access on reasonable notice and at reasonable intervals to any premises where the relevant personal data are being processed to enable The client to ensure that the Supplier is complying with its obligations under this Agreement and/or that the Supplier’s permitted sub-contractors are complying with the equivalent contractual obligations imposed on them;
5. promptly refer to The client any requests, notices or other communication from data subjects, the office of the Data Protection Commissioner or any other law enforcement agency relating to personal data for The client to resolve;
6. at no additional cost, provide such information to The client as The client may reasonably require, and within the timescales reasonably specified by The client, to allow The client to comply with rights of data subjects, including subject access, or with notices served by the office of the Data Protection Commissioner; and

Our Data Protection Officer – David Harmon (an Insight employee) – ensures adherence to secure storage and handling of data by all Insight employees.

How to contact us

Questions regarding this policy, complaints about our practices and access requests should be directed to the Insight Data Protection Officer via e-mail at dpo@insightsc.ie or by mail to 60 Merrion Square (South), Dublin 2, D02 NT04, Ireland.  Insight can also be contacted via phone at ++353 1 6612467