Global Privacy & Data Protection Policy (“Policy”) – 9-26-2023
Galileo Research & Strategy, LLC (“Galileo”) is committed to protecting the privacy of anyone with whom Galileo interacts and communicates, including employees, clients, and Market Research Respondents who volunteer to interact with Galileo directly or indirectly (“Respondents”). Galileo is committed to ensuring that legally protected personally identifiable information (“PII”) are protected to the extent required and using commercially reasonable efforts to comply with applicable legal requirements by all Galileo employees, subcontractors, and vendors who may provide such PII to Galileo.
This Policy lays out the protections that Galileo follows in every market. Galileo is compliant with the privacy principles of IA (Insights Association https://www.insightsassociation.org/), ESOMAR (the European Society for Opinion and Market Research https://esomar.org/), and the EU’s GDPR (General Data Protection Regulation https://gdpr-info.eu/). When Galileo conducts business in international markets outside of the US and EU, including interactions with subcontractors, vendors, and Respondents, Galileo uses commercially reasonable efforts to abide by any additional applicable local privacy and data protection policies as set within each market.
PII must be processed lawfully, for limited purposes, sufficient for its purpose but not collected beyond the needs of the circumstances, kept for a finite and well-defined period of time, held securely, and only transmitted as needed and in a secure manner.
In Galileo’s usual business operations, Respondents’ PII are not collected directly by Galileo. Subcontractors and vendors may collect PII, such as full name, address, phone number, and email address, in order to facilitate Respondents’ engagement in market research with Galileo. Galileo will use commercially reasonable efforts to require such subcontractors and vendors to have a Global Privacy & Data Protection Policy that is in line with this Policy and IA, ESOMAR, and GDPR, and/or other market regulations, as applicable. No PII is ever shared directly with Galileo from subcontractors and vendors who are reaching out to potential Respondents’ on Galileo’s behalf. All information is fully blinded before transfer from a subcontractor or vendor to Galileo.
In the event that PII must be transferred directly to or through Galileo, all data are encrypted and password protected before receipt by Galileo and before sent from Galileo to another party. PII is stored on secure servers for a limited amount of time, corresponding to the length of the engagement or market research project plus a legally compliant retention period thereafter, and can only be accessed by those Galileo employees who are directly working on the engagement or project. Such PII are subsequently erased upon completion of the project or business engagement.
PII is never transmitted by Galileo across borders.
For any PII stored by Galileo, Respondents retain the right at any time to request information on which data about them has been stored, to know the identities of any 3rd party who has received PII in relation to the project with Galileo, to correct any incorrect and/or amend any incomplete information, to withdraw consent, to request their data be erased, and to request that a Respondent’s PII be made available in a format such Respondent may access (such as Microsoft Word or Excel files) – in other words, the right to data portability.
Galileo employees are only allowed to access data within the scope of the project or business engagement and may not utilize data for their own private or commercial purposes or disclose them to unauthorized parties. This obligation remains in force even after such employment has ended.
Under their agreements with Galileo, clients on whose behalf Galileo conducts market research or other business operations also retain the right to understand how Galileo processes and protects personal data to ensure it complies with their requirements for privacy and data protection. Galileo never provides clients or other parties with direct or indirect access to PII as collected by Galileo or their subcontractors or vendors, unless compelled to do so by an order from a court of competent jurisdiction.
This Policy may be amended and updated from time to time, including, but not limited to, in order to maintain compliance with changes in local market regulations such as the GDPR.