Version 1

South Africa
Privacy Policy for Online Surveys
Introduction
This research is conducted by Kantar South Africa Pty Limited who is the data controller. By agreeing
to participate in this research, you agree to this use. We ask you to read this Privacy Policy carefully.

For the purpose of this Policy, the definition of ‘personal information’ is information which relates to
and can identify a living individual or an existing juristic person.

For the purposes of this Policy, the definition of ‘Data Protection Laws’ includes the General Data
Protection Regulation and the Protection of Personal Information Act and all applicable laws.

Lawful Collection and Use of Data

The purpose for collecting your personal data is:

• Conduct research based on your responses

• Contact you to participate in a survey
• Select you for future surveys
• Include you in our prize draws
• Allow us to reward you with the promised incentives

We have set out below more detailed information about how we use your personal data. We are also
required by law to explain the legal basis for processing your personal data. These legal bases are
listed below and could be different for each use case:

• we have your consent for the use of your personal data

• we need to use your personal data in order to perform a contract with you

• we need to process your data to comply with a legal obligation

• we need to process your data in order to protect your vital interests or someone else

• the processing is necessary to perform a task in the public interest or

• the use of your personal data is necessary for our (or our clients’) legitimate interests (in which case
we will explain what those interests are).

We will never misrepresent ourselves or what we are doing. If you receive an email that concerns
you, purporting to be from us, please let us know as shown below in ‘How to contact us’.
 Version 1

The main purpose for our collecting your personal data is to conduct market research. When we
contact you, generally by email, post, telephone or in person, we do so to invite you to participate in
a face-to-face market research survey.

Case Purpose Data collected/processed

Fraud Protection Protection of our IP address, browser specifications, device

business interests specifications, postal addresses, email addresses
against fraudulent
behaviour or behaviour
not in line with our
Terms and Conditions

Public Disclosure To share or disclosed Identifier, name, contact details, email address,
pursuant to judicial or incentive
other government
subpoenas, warrants,
orders or pursuant to
similar and other legal
or regulatory
requirements, we will
provide such
information to the
appropriate authorities.
Survey Participation Prevention of multiple IP address, browser specifications, device
Uniqueness entries in surveys by the specifications
same individuals in line
with our Terms and
Conditions

Tracking of the When you participate in Persistent unique project-specific identifier

Answers of Recurring our surveys, we
Respondents (special typically use a
research design temporary ID which
projects) makes your answers in
the survey anonymous
to our clients. However,
some of our clients
have the specific
research design need to
understand how your
opinion has evolved
over a period of time.
For this specific project
type that we call
"tracking" projects we
will use persistent IDs
 Version 1

and we will make this

clear at the beginning of
each of these surveys.
Your survey responses
will be considered as
personal data and you
will have the right to
access them. Such
projects will contain a
notice on the very first
page of the survey, so
that you can identify
them and decide
whether or not to take
part.

Data Matching and We enrich the data we Persistent unique identifier, contact details, email
Enrichment hold on file about you address, social login, cookie, mobile device ID
by matching your
personal data with third
parties. This will help us
to improve your panel
profile and ensure that
we select relevant
surveys for you.

We utilize matching
services (i.e. third
parties who are
specialized in data
management) to
acquire additional
information about you
from public and private
data sources (such as
social networks,
retailers and content
subscription services
with whom you have an
account) or to use your
personal data as an aid
to develop additional or
new types of
anonymous data sets
(i.e. we compile your
aggregate data with
data from other
consumers to create a
 Version 1

new lifestyle segment).

The matching service
(our partner) holds the
personal data we share
for a short time, uses it
to assemble the
additional information,
and then return the
combined information
to us. Partners are
contractually bound to
delete the data we
share with them or and
are not authorised to
use it in any way other
than for this specific
purpose.

Advertising Targeting We use your personal Persistent unique identifier, contact details, email
and Media Buying data to help our clients address, social login, cookie, IP address, mobile
Research and vendors enrich device ID
their data by using
lookalike modelling
techniques.
Thanks to your
participation in our
surveys and your profile
data, we can help our
clients to improve their
advertising targeting,
and to create better
online advertising
models, through
lookalike modelling or
similar research
methodologies. We will
use your personal data
we collect about you
through profile
building, participation
in research surveys or
data matching to match
with third-parties and
platforms (our
partners).
We include contractual
safeguards to ensure
that you will not
automatically be
targeted as a result of
 Version 1

your data being used to

help create a lookalike
audience, and that our
partners cannot use
your data for any other
purpose.

Ad Exposure and In addition to cookie- Persistent unique identifier, contact details, email
Measurement based matching (which address, social login, cookie, IP address, mobile
you can control and device ID
consent to via your
panel account), we will
use personal data you
provide to us, such as
email address, in a
direct matching process
with third parties (our
clients and partners) to
determine if you are a
user of that service
(such as social
networks, websites,
mobile apps) for
advertising
measurement research
purposes. We will
identify what
advertisements you
may have been exposed
to on those sites and
platforms and measure
how brand attitudes or
brand recall have
impacted sales. The
third parties that we
work with are not
allowed to use the data
for any other purpose.
Quality Control Evaluating the Contact details
performance of our
interviewers.
 Version 1

When you participate in our survey, we may ask you for a range of information, including, for example,
your personal opinions, and demographic information, such as your age and household composition.
You may decline to answer any questions or withdraw from participation in a study at any time.

We will never misrepresent ourselves or what we are doing. If you receive an email that concerns you,
purporting to be from us, please let us know as shown below in ‘How to contact us’ below.

In some instances, personal data may have been obtained from publicly accessible sources such as
internet search engines. In other instances, it would be supplied by our client as part of a contractual
requirement. At times we may obtain lists from approved list suppliers.

Third Parties
You can be assured that we will protect your privacy. We will not make your personal information
available to anyone without your agreement unless it is for research purposes only or if required by
law. This includes your name and e-mail address.

We may share your personal data with our sister companies within the Kantar group [insert details],
[e.g. data matching, data interactions, third party service providers, online ad effectiveness
measurement, social media data interactions, for research-related purposes, such as data processing,
and fulfilment of prize draws or other incentives.

Your personal information may be collected, stored, transferred or processed by our sister companies
within the WPP group, or 3rd party service providers for research-related purposes, such as data
processing, and fulfilment of prize draws or other incentives both within and across borders. They are
all contractually bound to keep any information they collect and disclose to us or, we collect and
disclose to them, confidential and must protect it with security standards and practices that are
equivalent to our own.

Data Transfer Across Borders

We or the third parties we share your data with may transfer your data across borders. Where these
transfers are across borders we shall put safeguards in place to ensure the transfer is made by a secure
and legitimate method for the purposes of Data Protection Laws.

Confidentiality, Security and Industry Requirements

We take appropriate technological and organisational measures to protect the personal information
submitted to us, both during transmission and once we receive it. Our security procedures are
consistent with generally accepted commercial standards used to protect personal information.
Unfortunately, no data transmission can be guaranteed to be 100% secure. As a result, while we strive
to protect your personal data, we cannot ensure or warrant the security of any information you
transmit to us or from our online products or services, and you do so at your own risk. Once we receive
your transmission, we will take reasonable steps to ensure our systems are secure.

All our employees are contractually obliged to follow our policies and procedures regarding
confidentiality, security and privacy.

We adhere to the following standards and industry requirements:

• ESOMAR professional codes of conduct

• SAMRA/AMRA professional codes of conduct
• ISO 20252 international market research quality standard;
 Version 1

• ISO 9001 international standard for quality management systems;

• ISO 27001 international standard for data security;

Cookie Disclosures
Cookies are small text files stored on your computer by a website that assigns a numerical user ID and
stores certain information about your online browsing. They are used by web developers to help users
navigate their websites efficiently and perform certain functions. The website sends information to
the browser which then creates a text file. Every time the user goes back to the same website, the
browser retrieves and sends this file to the website’s server.

We do not use cookies on standard online market research surveys.

For behavioural tracking research, we use optional cookies / software applications, but only if you
have given your explicit consent to such cookies / applications.

As is true of most online surveys, we gather certain information automatically and store it in survey
data files. This information may include things like Internet Protocol addresses (IP address), browser
type, Internet service provider (ISP), referring/exit pages, operating system and date/time stamp.

We use this automatically collected information to analyse trends such as browser usage and to
administer the site, e.g. to optimise the survey experience depending on your browser type. We may
also use your IP address to check whether there have been multiple participations in the survey from
this IP address.

Accuracy
We take all reasonable steps to keep personal information in our possession or control, which is used
on an on-going basis, accurate, complete, current and relevant, based on the most recent information
made available to us by you and/or by our client.

We rely on you to help us keep your personal information accurate, complete and current by
answering our questions honestly and you are responsible for ensuring that the data controller (which
may be us or - more often - our client) is notified of any changes to your personal data.

Children Data Collection

When we collect children’s data (all persons aged below 16 years of age at time of collection), we
require consent from their parent or legal guardian. This must be verified with ID from that individual
and they must confirm that no further consent from any other parent or guardian is required.

Local legal age laws vary per country which means consent may be required for those under 18 years
old in certain countries.

Rights of Individuals
To request access to personal data that we hold about you, you should submit your request in writing
to the e-mail address or postal address shown below in ‘How to Contact Us’.

You have the following rights in relation to your personal data:

• Right to change your mind and to withdraw your consent

• Right to access your personal data
• Right to rectify your personal data
 Version 1

• Right to erase your personal data from our systems, unless we have legitimate interest reasons
for continuing to process the information
• Right to port your personal data (portability right)
• Right to restrict processing of your personal data
• Right to object to the processing of your personal data

We shall also notify third parties to whom we have transferred your personal data of any changes that
we make on your request. Note that while we communicate to these third parties, we are not
responsible for the actions taken by these third parties to answer your request. You may be able to
access your personal data held by these third parties and correct, amend or delete it where it is
inaccurate.

Data Storage and Retention

Personal information will be retained only for such period as is appropriate for its intended and lawful
use, in this case we shall retain data for no longer than 12 months, unless otherwise required to do so
by law. Personal information that is no longer required will be disposed of in ways that ensure their
confidential nature is not compromised.

As part of the Company Business Continuity plan and as required by ISO 27001, ISO 9001, ISO 20252
and in certain instances the law, our electronic systems are backed up and archived. These archives
are retained for a defined period of time in a strictly controlled environment. Once expired, the data
is deleted, and the physical media destroyed to ensure the data is erased completely.

Automated Decision Making/Profiling

In certain circumstances we shall carry out automated decision making or profiling about you.
However, in the majority of cases this will not result in any legally significant decisions being made
about you. You have the right to appeal if any automated decision made about you is legally
significant. If you have any questions about this, please contact us.

How to Contact Us
For any further information you can contact us on PrivacyRSA@Kantar.com You can also contact our
Data Protection Officer Gillie Abbotts-Jones at PrivacyRSA@Kantar.com. Our Data Protection Officer
monitors our compliance with Data Protection Laws plus our privacy policy and is our contact point
for the supervisory authorities on issues relating to processing personal data.

Complaints
Data subjects must be informed of their right to contact the Data Protection Authority: we must notify
the data subjects of their right to complain to the Data Protection Authority and provide details of
how they do so. Include any country specific required disclosers, local regulation. Please contact us
using the details above.

Notification of Material Changes

We keep our Privacy Policy under regular review and it may be amended from time to time. We will
always have the most up-to-date policy at this address www2.kantar.com/za/privacy/mobile.pdf

We will record when the policy was last revised.

Date created: 31/01/19