Personal data is information that relates to an identified or identifiable individual. We use your personal data for purposes including to manage our relationship with you, to promote and market our products and services including the use of profiling and social media, to operate our business effectively, and so we can comply with our legal obligations. You can find out more about each of these purposes in Section 2 of this notice.

We only share your information with other organisations or transfer it outside the UK or European Economic Area (EEA) when this is necessary, and we require these third parties to respect the security of your data and treat it lawfully. Further information is found in Sections 3 and 4.

We’ll only retain your personal data for as long as it’s needed to meet our operational, legal or reporting requirements, or to defend our legal rights. Section 5 provides more detail.

The rights you’re granted in relation to our use of your personal data and information on how to make a rights request can be found in Section 6.

Information about our use of cookies and similar technologies can be found in our cookie notice.

• Your personal data is used so we can provide services to you. Any such processing is a contractual requirement so we can, for example, fulfil a research brief you submit to us or provide information you request.
• It’s used to process payments and to prevent fraudulent transactions. We do this as part of our contractual obligations to you, and our legitimate interests to help protect our customers from fraud.
• We’ll respond to your queries and any complaints using the contact details you provide. We do this as part of our contractual obligations to you, and our legitimate interests to provide you with the best possible service.
• Our core business is to undertake research and studies to improve our products and services, and to produce information of relevance to our industry. This may include combining information with third party datasets and information. Any research findings or final reports do not generally identify individuals, but where this is planned, and as part of the research consent process, we’ll provide you with further privacy information to explain exactly what your personal data will be used for.

• We’ll only send our newsletter or electronic direct marketing to you where we have your consent to do so.
• If you change your mind about receiving our newsletter or electronic direct marketing, simply click the unsubscribe link in any emails we send you or contact our DPO at the contact details above.
• When we send you a direct marketing email or newsletter, we may track how you respond to it using a ‘pixel’. We do this so we can see whether the email was opened and if any content was clicked, so that we can understand how effective our marketing strategies are and make improvements, where necessary. You can find out more about our use of pixels and cookies, and how to amend your settings, in our cookie notice.
• We conduct profiling so we can identify opportunities to promote our products and services to customers and prospective customers. This may include reviewing previous purchases made by customers and consumers of C&C Group entities and combining this information with other datasets and information. This profiling allows us to better understand which of our products and services are likely to be of interest to you and develop our marketing campaigns accordingly. The lawful basis for profiling is our legitimate interest to promote our brands and help ensure our customers receive information which is likely to be of most interest. You can contact us if you don’t want us to use your personal data for this purpose. For more information, see the ‘right to object’ held in the ‘Your rights’ section below.

The purposes outlined in this section are primarily carried out under the lawful basis of our legitimate interests.

• We’ll use your personal data to make sure we give you and other customers the best possible service, and to run effective and efficient systems and processes. This includes developing, testing and improving our systems, sites and services.
• It’s used for business management, decision-making and planning purposes, to effectively operate and protect our business.
• We may send you survey and feedback requests to help improve our products and services. You’re under no obligation to respond or take part if you receive these from us.
• We monitor our network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
• We monitor visits to this website including, but not limited to, traffic data, location data, web logs and other communication data. You can find out more information about this in our cookie notice.

• Your personal data will be used to handle service issues or legal disputes involving you, other customers and suppliers, or our own employees, workers and contractors.
• We may use it during our accounting and auditing processes and for any regulatory or legal reporting purposes which we’re required to comply with.

We may share your data:

• With the other entities within C&C Group plc, as part of our regular reporting activities on company performance, as part of research findings conducted about our brands and products, in the context of a business reorganisation or group restructuring exercise, or for system maintenance support and hosting of data.
• If you agree to participate in a research project, your personal data may be shared with the client and third parties working with the client for their market research and other related business purposes, such as meetings and briefings. Where any such sharing is planned, and as part of the research consent process, we’ll provide you with further privacy information to explain exactly what your personal data will be used for.
• With companies that help us provide our products and services, for example companies that source participants for our research panels.
• With marketing and media agencies who help us with our promotional activities, such as competitions or incentive fulfilment.
• With IT system providers, including data storage providers and their technical support teams, if necessary.
• With governmental bodies, regulators, law enforcement agencies, insurers, our accountants, auditors, legal advisors, debt collection agencies, or court or tribunal services where we are required to do so to comply with legal obligations, exercise or defend our legal rights, to prevent and detect crime or prosecute offenders, or to safeguard and protect our employees, customers or other individuals.
• If we sell or buy any business or assets, we may disclose your information to the prospective seller or buyer of such business or assets. If we’re acquired by a third party, customer information will be one of the transferred assets so they can continue to provide services to you.

We require these parties to respect the security of your data and to treat it in accordance with the law. Where a third party is acting as a data processor, they’ll act solely on our instructions and will only use your information for that specific purpose.

Your personal data may be transferred to and stored in locations outside the UK and the European Economic Area (EEA). This will typically occur when we use service providers located outside of these areas. These data transfers require us to follow certain rules under data protection law to ensure that your data will be adequately protected, so we’ll only transfer data to countries that have been confirmed as protecting personal data to UK standards, or where we have put contractual commitments in place which make sure the data is protected to these standards.

Please contact our DPO if you want to find out more about where personal data is transferred to, or the safeguards we have in place.

Your personal data is only kept for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any operational, legal or reporting requirements, and in order to defend our legal rights. To decide the right retention period, we consider the purposes for which the data is processed, the amount, nature, and sensitivity of it, the potential risk of harm from unauthorized use or disclosure, and any applicable legal requirements.

Your personal data is deleted once it’s no longer needed for these purposes.

Under data protection law you have the right to:

• Request access to your personal information (commonly known as a data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request the correction of incomplete or inaccurate personal information that we hold about you.
• Request erasure of your personal information in certain circumstances. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information in certain circumstances. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party, known as data portability.
• Withdraw your consent. In circumstances where your consent is the lawful basis for the processing, you have the right to withdraw your consent at any time.
• If you want to exercise any of these rights please contact GDPR@proofinsight.com.

Your right to complain to a data protection regulator

We aim to collect, use and safeguard your personal information in line with data protection laws and guidance. If you do not believe we have handled your personal data appropriately, please get in touch with our Data Protection Officer using the contact details above so that we can try to resolve your concerns.

While we hope that we can resolve your concerns, you do have the option to complain to a data protection authority regardless of whether you have exhausted our internal procedure.

For UK residents:

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can find further information and contact details at https://ico.org.uk.

For ROI residents:

You have the right to lodge a complaint with the Data Protection Commission (DPC). You can find further information and contact details at https://www.dataprotection.ie