Privacy Statement v2.0
Last update: May 1st, 2025 version 2.0
1. Introduction
Haystack Consulting (“we”, “us”, “our”) is a market research and consultancy agency with offices in Heverlee, Belgium, and Amsterdam, The Netherlands.
Haystack acknowledges the importance of data protection and privacy of personal data; therefore, we will treat the personal data of those concerned with due care. We are committed to protecting the personal data of individuals (“you”, “your”) in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Belgian, Dutch, and other local privacy laws and regulations.
Personal data can be defined as any information relating to an identified or identifiable natural person (‘data subject’). Haystack considers the collected personal data as confidential information, which it will only process for the purposes specified in this policy and which it will no longer retain than necessary for the realization of those purposes.
This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when we act as either a data controller or a data processor.
2. Scope
This Privacy Policy applies to:
- Individuals who participate in our market research studies.
- Clients, suppliers, and business partners.
- Visitors to our website and users of our online platforms.
- Job applicants
- Any processing activity where we determine the means and purposes (controller role) or act on behalf of a third party (processor role).
3. Roles and Responsibilities – Market Research
- When we design and conduct research, determine its purpose and methodology, and collect personal data directly from participants, we act as a data controller.
- When we process personal data on behalf of our clients according to their instructions, we act as a data processor, and the client remains the data controller.
- When we collaborate with local and/or online (recruitment) partners and make use of their access panels to invite participants, the partner is the data controller of the personal data in the database; we are the data controller for all personal data collected specifically in the context of the research project.
4. Types of Data We Collect
Depending on our role and the context, we may collect:
- Identification data (e.g., name, email address, phone number)
- Demographic data (e.g., age, gender, location, professional occupation, personal characteristics)
- Behavioural data (e.g., responses to surveys or interviews)
- Technical data (e.g., IP address, browser type)
- Audio/Visual data (e.g., recordings with your consent)
- Special mention:
- Special categories of personal data (e.g., trade union membership, religious affiliation, race or ethnic background )
- Personal data of children
5. Lawful Bases for Processing
a. General
We process personal data based on the following legal grounds:
- Your explicit and informed consent (Art. 6(1)(a) GDPR)
- The necessity to perform a contract (Art. 6(1)(b) GDPR)
- Our or a third party’s legitimate interests (Art. 6(1)(f) GDPR), such as business development or quality assurance
- Legal obligations we must comply with (Art. 6(1)(c) GDPR)
b. Research Projects
1) Haystack as a controller
All personal data that Haystack collects during a market research project is provided to Haystack voluntarily by the participants. No one is forced in any possible way to provide Haystack with information. At the start of a survey, we will always ask for your consent. Refusing to consent will end your participation in the survey. You can always withdraw your consent by stopping your participation at any given moment or by contacting us after the survey.
Special categories of personal data are only processed when explicit and informed consent has been given by the data subject (Art. 9(2)(a) GDPR).
When a child is below 16 years old, processing is subject to prior consent by a holder of parental responsibilities or a legal guardian (Art. 10(1)(a).
2) Haystack as a processor
When Haystack is a processor, its clients, acting as controllers, are responsible for the lawful basis for processing. Any concerns should be addressed to the controller, not Haystack.
6. Data Use and Purposes
a. Haystack as a controller
We process personal data for:
- Conducting and analysing market research
- Communicating with research participants,
- Normal business activities, such as client management, personnel management, supplier management, and administration.
- Complying with legal or regulatory obligations
- Improving our services and methodologies
b. Haystack as a processor
When providing services to clients, Haystack may have access to clients’ databases containing personal and other confidential data. We will act on explicit instructions of the client, who will define the means and purpose of the processing. The client will be the controller, and processing by Haystack is subject to the privacy policy of the client/controller, and will be governed by a data processing agreement between Haystack and its client.
7. Use of Partners and Data Processing Agreements
We may engage third-party partners to support our services, such as providers of research (support) services, IT providers, data collection platforms, transcription services, and analytics tools. These partners may process personal data on our behalf.
- When we act as a data controller, we enter into Data Processing Agreements (DPAs) with each processor to ensure that they only process personal data under our instructions and in compliance with GDPR.
- When we act as a data processor, we support our clients in ensuring that their own processors (sub-processors) are subject to equivalent contractual obligations.
All processors are assessed for their compliance with data protection standards and are bound by confidentiality and security obligations.
8. Cookies and Tracking Technologies
a. Website
Our website uses cookies and similar technologies to ensure proper functionality and to analyse website usage. The types of cookies used include:
- Essential cookies (functional): Necessary for basic website operations.
- Analytics cookies: Help us understand how visitors interact with the site.
- Preference cookies: Remember your settings and preferences.
- Marketing cookies: May be used to deliver targeted advertising, with your consent.
b. Research Projects
Some online surveys collect information using “cookies”. “Cookies” are used as little as possible and only for quality control, validation, and, above all, to prevent us from sending you reminders for an online survey that you have already completed. We also automatically collect data about your operating system, screen settings, and browser type to ensure that the layout of the questionnaire and its functionality are adapted to your device. We do not collect any other information.
You can manage or withdraw your cookie consent at any time via our cookie banner or your browser settings. For more information, see our Cookie Policy.
9. Data Sharing
We may share data with:
- Clients (when acting as a processor)
- Trusted service providers (e.g., survey platforms, data hosting services)
- Regulatory or legal authorities, if required
Haystack will refrain from disclosing personal data of the data subject to third parties, as well as publicly disclosing data subjects’ personal data. Personal data of data subjects will only be communicated to third parties provided that consent of the data subjects was obtained.
Note that we report the results of market research projects on an aggregated level to our clients, thus anonymizing the research results.
10. Data Transfers Outside the EEA
If personal data is transferred outside the European Economic Area (EEA), we ensure that such transfers are made in accordance with Chapter V of the GDPR. This includes:
- Transfers to countries recognized by the European Commission as having an adequate level of data protection.
- Use of Standard Contractual Clauses (SCCs) approved by the European Commission.
- Additional safeguards, such as encryption and access controls, where necessary.
11. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law (e.g., tax regulation).
Personal data collected during a market research project is retained until the project is completed and all results are delivered to our clients. Most often, personal data is stored for 6 months after a project’s completion for quality assurance reasons.
Data processed as a processor is retained following the client's instructions.
12. Your Rights
You have the following rights under the GDPR (Art. 15-21):
- Right to access your personal data
The data subject always has the opportunity to request all collected personal data (including processing purposes, categories of personal data, and estimated retention period) for inspection
- Right to rectification
The data subject has the opportunity to have incorrect personal data corrected
- Right to erasure (“right to be forgotten”)
If the data subject wishes to have their personal data removed, the data subject can contact Haystack to request the removal of personal data by free request. The data subject recognizes that, if the personal data are not provided or the erasure thereof is requested, Haystack will not be able to deliver the services.
- Right to restriction of processing
In certain cases, the data subject is entitled to obtain the restriction of the processing of their personal data.
- Right to data portability
The data subject has the right to receive the personal data concerning him or her, processed by Haystack, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.
- Right to object to processing
The data subject can object to the processing of personal data. Please note that the data subject is not entitled to object to the processing of their personal data if such personal data is necessary for the execution of an agreement between Haystack and the data subject or the data subject’s company.
- Right to withdraw consent at any time
The data subject can withdraw their consent at any time. When there is no legal basis for the processing, Haystack will stop the processing of the personal data.
- Right to lodge a complaint with the Belgian Data Protection Authority
If, at any time, you are of the opinion that Haystack infringes your privacy, you have the right to lodge a complaint with the Belgian supervisory authority:
Gegevensbeschermingsauthoriteit, Drukpersstraat 35, 1000 Brussel
Tel +32 (0) 2 274 48 00, email: contact@apd-gba.be
These rights can be exercised free of charge by sending an email to privacy@haystack-consulting.com.
When Haystack is the controller, all requests will be handled by Haystack’s data protection officer (DPO) within the legal period.
When Haystack is a processor, Haystack will forward your request to the controller and assist the controller in fulfilling their obligations.
13. Security Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing as well as the risk for the rights and freedoms of data subjects, Haystack implements the appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. (Art. 32(1) GDPR
Haystack adheres to industry standards, and, when acting as a processor, to its clients’ instructions and security requirements.
14. Changes to our privacy policy.
We may change this Privacy Policy from time to time. We will be doing this by posting the updated version on the website. When we publish changes to our Policy, we will change the data of the “last update” of our Privacy Policy. Significant changes will be reported on the homepage. Nevertheless, we encourage you to read our Privacy Policy periodically.
15. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at:
Haystack Consulting
Romeinsestraat 4, 3001 Heverlee, Belgium