Questions on Retention Policies

1. I had a question / needed advice. We bought your toolkit in 2022. We are a marketing research company that collects data for surveys. We support Quant and Qual research. I was wondering if you could share your views on the two questions below.Is there a recommendation for Retention Policies. Would 5 years be too much?

There are no fixed timeline recommendations for the Retention Policies, so 5 years might not be too much. However, please take into consideration that when you establish a retention policy for certain categories of data, you need to take into consideration that storage is personal data processing, according to Article 4 GDPR – Definitions, and you need a purpose, as per Article 5 GPDR – Principles relating to processing of personal data and a legal ground for processing, as per Article 6 GDPR - Lawfulness of processing. Based on the purposes and on the legal grounds associated to each purpose of processing, you establish the retention policy; for example, you might need to store the personal data of research participants for 5 years due to fiscal law requirements.

2. For Qual In depth interviews where we have video recordings. For anonymization – would it suffice to blur out the faces or do we  HAVE to also distort the voices as well?

For anonymization of personal data from a video recording you should take into consideration blurring the faces, distinctive body signs, unique tattoos and distort the voices – voice is personal data.

3. If I have many files with a unique ID provided by our third party vendor, age, gender, zip code, ethnicity, sexual orientation.

If I Delete ID from the file, would the data be considered anonymized? OR would I have to take further steps to anonymize it, such as remove zip code as well.

When considering whether deletion of ID from a file is a sufficient anonymization technical measure, you need to establish what is the probability of re-identification of an individual based on the remaining data categories. A study published in 2019 in Nature communications revealed the fact that 99.98% of Americans would be correctly re-identified in any dataset using 15 demographic attributes. So make sure you anonymize the right data categories in order to have a correct anonymization.

Please also consult these links:

• Article 4 GDPR – Definitions: https://advisera.com/nl/gdpr/definitions/
• Article 5 GPDR – Principles relating to processing of personal data: https://advisera.com/nl/gdpr/principles-relating-to-processing-of-personal-data/
• Article 6 GDPR - Lawfulness of processing: https://advisera.com/nl/gdpr/lawfulness-of-processing/
• Webinar: How to Use Legitimate Interest to Comply With EU GDPR: https://advisera.com/webinars/how-to-use-legitimate-interest-to-comply-with-eu-gdpr-free-webinar/
• Estimating the success of re-identifications in incomplete datasets using generative models: https://www.nature.com/articles/s41467-019-10933-3/

Thanks so much Tudor that is super helpful!

I do have some new questions; I am in the process of filling out the ROPA.

• Categories of recipients – maybe a dumb question but would this be the people that receive the data. For example, for a quantitative 13 minute survey where a third party is collecting the data. The recipients would be Ypulse employees? Because categories of data subjects would be Survey Panelists, and processor is the third party.
• Also, another silly question, but I believe the lawful basis for processing is Legitimate Interests. Although, we do provide marketing research services to companies via Presentations and PPTs that we deliver, and we provide consulting services based on the research we conduct. And we do have a contract/ SOW designed with our clients. Can you confirm this would still be Legitimate interest or if this would be more considered ‘contract’, as legitimate interest?
• I am also not clear on what to add under this column: Data Protection Act 2018 Schedule 1 Condition for processing. I am not really sure what to add for this column. Can you advise on this one.
  • For example, for Quan surveys?
  • Or for when we are communicating with clients – this would be legitimate interest again?
  • Or when we conduct qualitative surveys as well. 

Thank you so much in advance, or let me know if I direct these questions back on the other chat with Advisera. Have a wonderful weekend!

1: Categories of recipients – maybe a dumb question but would this be the people that receive the data. For example, for a quantitative 13 minute survey where a third party is collecting the data. The recipients would be Ypulse employees? Because categories of data subjects would be Survey Panelists, and processor is the third party.

No. In this case, categories of recipients mean the other data controllers, joint data controllers, or data processors that receive personal data. Related to the example you provided, recipients would be the hosting company where the data would be stored, third-party partners that collect the data, and other third parties that need to process the personal data.

2: Also, another silly question, but I believe the lawful basis for processing is Legitimate Interests. Although, we do provide marketing research services to companies via Presentations and PPTs that we deliver, and we provide consulting services based on the research we conduct. And we do have a contract/ SOW designed with our clients. Can you confirm this would still be Legitimate interest or if this would be more considered ‘contract’, as legitimate interest?

The lawful basis for processing in the example you provided should be either consent, if the participants are not remunerated for answering the survey, or the necessity to perform contractual clauses, if participants are remunerated for answering the survey (because there would be a contract in place between your company and the participants). In the case of legitimate interest, people should expect the processing to occur, and my opinion is that in this case, because you are doing quantitative research, it would be quite difficult to argue this legal ground for processing personal data.

3: I am also not clear on what to add under this column: Data Protection Act 2018 Schedule 1 Condition for processing. I am not really sure what to add for this column. Can you advise on this one.

For example, for Quan surveys?Or for when we are communicating with clients – this would be legitimate interest again?Or when we conduct qualitative surveys as well.

Data Protection Act 2018 Schedule 1 is related to processing special categories of personal data – like health, criminal convictions, etc. This column should be filled only if you process such categories of personal data, and in this case, you should identify what would be the condition of processing, namely Employment, Social Security, Social Protection, Health, Social Care, etc.

Please also consult these links:

• Article 9 GDPR – Processing of special categories of personal data: https://advisera.com/gdpr/processing-of-special-categories-of-personal-data/
• EU GDPR Glossary of Terms: https://advisera.com/articles/eu-gdpr-glossary/