Asia Research Partners – GDPR
What data are considered to be personal and sensitive?

This Privacy Notice informs you about the different personal and sensitive data types that fall under the General Data Protection Regulation (GDPR). The GDPR is a regulation designed to protect the processing of personal data and uphold the fundamental rights and freedoms of individuals in the European Union (EU) and the European Economic Area (EEA). 

Personal Data (Article 4):

According to the GDPR, personal data refers to any information that relates to a natural person who can be identified directly or indirectly. This individual is a “data subject.” It can be distinguished by different criteria, including their name, identification number, location data, online identifier, or particular qualities related to their physical, physiological, genetic, mental, economic, cultural, or social identity.

“Genetic Data” refers to personal data about a person’s inherited or acquired genetic characteristics. This type of data provides unique insights into the physiology or health of the individual and results from analyzing biological samples taken from the person.

 “Biometric Data” refers to personal data resulting from specific technical processes that relate to a natural person’s physical, physiological, or behavioral characteristics. These characteristics enable or confirm the unique identification of the individual, such as facial images or dactyloscopy (fingerprint) data.

“Data Concerning Health” encompasses personal data connected to a person’s physical or mental health. It includes information about health status and the provision of healthcare services that reveal insights into an individual’s health condition.

Special Categories of Personal Data (Article 9):

The GDPR recognizes special categories of personal data, previously referred to as sensitive personal data. These categories include data that reveal:

  • Racial or Ethnic Origin
  • Political Opinions
  • Religious or Philosophical Beliefs
  • Trade Union Membership
  • Genetic Data
  • Biometric Data (for uniquely identifying an individual)
  • Data Concerning Health
  • Data Concerning a Natural Person’s Sex Life or Sexual Orientation

Key Considerations:

  • Personal data might consist of multiple pieces of information, such as a combination of job title and workplace, which could identify an individual together.
  • Pseudonymized data still falls under the scope of personal data if it can be feasibly reversed, allowing for the re-identification of individuals by possessing the necessary information.
  • The GDPR’s data protection principles apply to information about identified or identifiable natural persons. Anonymous information that does not relate to or identify an individual falls outside the scope of this Regulation.
What are the roles of Data Controllers and Data Processors?

Data Controllers and Data Processors play distinct roles in processing personal data as defined by the General Data Protection Regulation (GDPR). Their responsibilities are outlined as follows:

Data Controllers:

Data Controllers have the authority to determine the purpose and methods of data processing. For instance, if you influence work design or maintain a list of potential respondents, you are considered a Data Controller.

Responsibilities of Data Controllers include:

  • Demonstrating compliance with GDPR and maintaining records.
  • Acting as the primary point of contact for data subjects.
  • Assessing and conducting Privacy Impact Assessments as required.
  • Conducting audits of Data Processors.
  • Ensuring that contracts contain appropriate details.
  • Incorporating privacy measures by design and by default.
  • Establishing a legitimate basis for data processing.
  • Appointing a Data Protection Officer if necessary.

Data Processors:

Data Processors handle data processing activities on behalf of Data Controllers. If you solely act according to the instructions of others, such as a market research or fieldwork agency, you are classified as a Data Processor.

Obligations of Data Processors include:

  • Obtaining approval to appoint sub-processors.
  • Enforcing GDPR obligations within sub-processor contracts.
  • Seeking permission to transfer personal data outside the EU.

Shared Responsibilities:

Both Data Controllers and Data Processors are required to:

  • Implement technical and organizational measures to safeguard data.
  • Ensure that contracts contain requisite details regarding data processing.
  • Appoint a Data Protection Officer if obligatory.
  • Maintain comprehensive records of processing activities.
  • Incorporate privacy considerations into the design and default settings.
  • Maintain a valid legal basis for data processing.
  • Safely store and manage data and associated records.
What is the ICO?

The ICO stands for the Information Commissioner’s Office. It serves as the supervisory authority and regulator for data protection in the United Kingdom. Operating as an autonomous entity, the ICO is tasked with safeguarding information rights within the UK. 

What does the GDPR entail for processing secondary data containing personal information?

GDPR requirements for processing secondary data in data analytics align closely with primary data in market research. ARP suggests the following steps for those handling secondary data in data analytics:

  • Audit systems to identify personal data processing.
  • Assess risks and consider privacy impact assessments if necessary.
  • Review contracts with third parties to clarify roles and expectations.
What terms/changes might we need to make to our contracts?

Contracts under GDPR should encompass the following:

  • Specific processing details: scope, duration, nature, purpose, data types, and subjects.
  • Risk assessment and DPIA inclusion.
  • Compliance information provision.
  • Safeguards: technical, organizational, confidentiality.
  • Data retention, return, and deletion procedures.
  • Data breach notification guidelines.
  • Inspection, auditing provisions.
  • Liabilities, assurances, indemnities for legal actions.
  • Responsibilities in joint controller scenarios.

Data processors require written consent from sub-processors (e.g., freelancers), adhering to GDPR. The inclusion of processor clauses in contracts is shared between controllers and processors as per GDPR, ensuring clarity.

What is the difference between asking not to be contacted and asking for your personal data to be erased?

Following GDPR, individuals possess a novel entitlement known as the right to erasure or be forgotten. This empowers individuals to request the deletion or elimination of their personal data when no compelling reason justifies its ongoing processing.

Furthermore, individuals have the right to restrict the processing of their personal data. When processing is restricted, you can store the data but refrain from further processing. Minimal data retention is permissible to ensure compliance with the restriction in the future.

If an individual opts not to be contacted for market research, they exercise their right to restrict processing, distinct from the right to erasure. It is crucial to differentiate between these two different rights. Honoring a request not to be contacted for market research necessitates retaining some personal data for operational compliance.

How should we prepare for GDPR, and how will it affect personal members/freelancers?

In a general context, the impact of GDPR on personal data processing for individuals is comparable to its effect on organizations. Although variations might exist in record-keeping and risk assessment (relevant notes below), the overall requirements remain consistent regardless of the organization’s size.

ARP offers guidance to individual members to:

  1. Understand their roles and audit their data processing activities.
  2. Implement necessary processes.
  3. Document their actions; organizations <250 employees must maintain records for higher risk processing, and suppliers in the chain might also have such obligations.

Begin by understanding or reviewing your current position to identify necessary GDPR adjustments.

  • Review data processing details:
    • Role and responsibilities
    • Data sources and types
    • Processing type and purpose
    • High-risk data processing
    • Legal basis for processing
    • Record-keeping
    • Data sharing and cross-border transfers
    • Access, storage, and security

Formulate a GDPR action plan to become compliant, considering risk-based prioritization. 

Potential changes may involve:

  • Modifying contracts/MSA templates.
  • Updating policies and processes, such as data retention and breach procedures.
  • Revising consent statements and privacy notices.
  • Integrating privacy by design and default in new projects.

Please note that the information provided above is for informational purposes only. The responses are not intended to be taken as regulatory or legal advice and should not be construed as such.

Data Protection

Data security is a significant factor for us at Asia Research Partners LLP (ARP), a company engaged in market and opinion research. As we receive information about both private and business people, a large part of the data exchanged with us is strictly confidential (‘personal data’). In the context of privacy, we comply with the standards of the relevant Data Protection Act and as a member of ESOMAR, we also comply with the directives and regulations of the market research professionals’ association.

The operator of this website takes your personal data very seriously. In accordance with the law on data protection and our Privacy Policy, we treat your personal data confidentially.

Typically, the use of our website is possible without the disclosure of personal details. All personal information, such as name, address, or e-mail address, is obtained on our site on voluntarily as far as possible. These data will not be forwarded to third parties without your express permission.

It should be noted that data transmission on the Internet such as when communicating via e-mail, could have security gaps. Comprehensive data security from third parties is not feasible.


This website uses cookies. 

Cookies do not affect your device nor contain any malware. They are simple text files stored on your computer by your browser and are used to make our site more user-friendly, responsive, and safe.

Most of the cookies that we use are called “session cookies”, which are deleted automatically at the end of your session on our website. Other cookies will remain on your terminal until you delete them. These cookies help us to recognize your browser during your next visit to our website.

You can set up your browser so that you are notified about the location of cookies and allow cookies on a case-by-case basis. You can accept cookies in certain situations or rule out and automatically delete them when you close your browser.

Please note that the functionality of this website can be limited when cookies are disabled.

Server Log

This site provider automatically gathers and stores information, that your browser automatically transmits to us, in the server log.

Information stored by the server log include:

  • Browser type/browser version
  • Operating system
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request

These data cannot be delegated to any individuals. These data are not combined with data from other data sources. Subsequently, we reserve the right to review these data if we become aware of any concrete allegations of unauthorized use.

Contact form

If you send us your enquiries via the contact form, your details including the contact information you have provided will be stored for to process the enquiry and in the event of any subsequent queries. We will not forward this data without your permission.

Privacy Policy for the use of Google Analytics

This website uses functions from the web analysis service Google Analytics. The provider is Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Google Analytics uses so-called cookies. These are text files that are stored on your computer that enable an analysis of your use of the website. The information generated by the cookies about your use of this website is usually sent to a Google server in the USA and stored there.

If IP anonymisation is activated on this website, your IP address will be shortened in advance by Google within member states of the European Union or in other contracting states to the European Economic Area. The full IP address will only be transmitted to a Google server in the USA and shortened there in exceptions. Google will use this information on behalf of the user of this website to evaluate your use of the website, compile reports about website activities, and provide further services associated with website use and internet use to the website provider. The IP address transmitted within the scope of Google Analytics from your browser will not be brought together with other data by Google.

You can prevent the storage of cookies by setting your browser software accordingly; however, we must point out that in this case, you may not be able to use all the functions of this website in full. Furthermore, you can prevent the recording of the data generated by the cookie relating to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available on the following link:

Privacy Policy for the use of Facebook plugins (like button)

Plugins from the social network Facebook, provider Facebook Inc. 1 Hacker Way, Menlo Park, California 94025, USA, are integrated on our site. You will recognise Facebook-Plugins from the Facebook logo or the “Like button” on our site. You will find an overview of Facebook-Plugins here:

When you visit our site, a direct connection will be made between your browser and the Facebook server via the plugin. Facebook receives the information that you have visited our site with your IP address in this way. When you click on the Facebook “Like button” while you are logged on to your Facebook account, you can link the contents of our site to your Facebook profile. As a result, Facebook will allocate the visit to our site to your user account. We must point out that as the provider of the site we have no knowledge of the contents of the data transmitted nor of its use by Facebook. You will find further information on this in the Facebook Privacy Policy on:

If you do not want Facebook to be able to allocate our site to your Facebook user account, please log out from your Facebook user account.

Information, Deletion, Blocking

You have the right at any time to free of charge information about the personal data stored about you, its origin, and recipients and the purpose of data processing as well as the right to correct, block or delete this data.

Objection to Advertising Emails

We hereby object to the use of the contact details published within the scope of the obligation to publish an imprint to send advertising and information material not explicitly requested by us. The operator of this site reserves the right to take legal steps in the event of the unsolicited sending of advertising information, such as through spam emails.


If you have any further questions or require further information about data protection, please contact our Data Protection Officer.

Asia Research Partners LLP

Anubhav Raj
B-1/I-1, 2nd Floor, Mohan Co-operative Industrial Area
Delhi-110044, India
+91 011 410525239