Legal

GDPR & Data Protection.

Last updated: 10 April 2026

MSG Opinion is fully committed to compliance with the EU General Data Protection Regulation (Regulation 2016/679), the UK GDPR and the UK Data Protection Act 2018. This notice sets out how we approach data protection across our research operations and how individuals can exercise their rights.

1. Roles: controller and processor

In most research engagements, MSG Opinion acts as a data processor on behalf of our clients, who are the data controllers. In these cases, processing is governed by a written Data Processing Agreement (DPA) executed before any personal data is shared. Where we collect and manage personal data in our own right (for example, running our proprietary panels or handling business enquiries), MSG Opinion acts as the data controller.

2. Lawful bases (Article 6 GDPR)

  • Explicit consent — the default basis for research participation and for processing any special-category data (health, trade union membership, religious beliefs, etc.).
  • Contract — to fulfil obligations to clients or panellists.
  • Legal obligation — for financial, tax and pharmacovigilance records.
  • Legitimate interests — for B2B business development, security monitoring and fraud prevention, where balanced against data subjects' rights.

3. Special-category data (Article 9 GDPR)

Patient and healthcare research sometimes involves sensitive data including health information. We only process such data with the explicit, informed consent of the individual. Consent forms clearly identify the purpose, the recipients, retention periods and the rights of the data subject.

4. Data subject rights

Under the GDPR, individuals have the right to:

  1. Be informed about processing.
  2. Access their personal data (Article 15).
  3. Rectification (Article 16).
  4. Erasure or "right to be forgotten" (Article 17).
  5. Restrict processing (Article 18).
  6. Data portability (Article 20).
  7. Object to processing (Article 21).
  8. Not be subject to automated decision-making with legal effect (Article 22).
  9. Withdraw consent at any time, without affecting prior lawful processing.
  10. Lodge a complaint with a supervisory authority.

Requests can be submitted to privacy@msgopinion.ai. We respond within one month (extendable by two further months for complex requests), free of charge unless requests are manifestly unfounded or excessive.

5. International data transfers (Chapter V GDPR)

Where we transfer personal data outside the EEA or the UK, we rely on one of the following transfer mechanisms:

  • European Commission adequacy decisions (including the EU-US Data Privacy Framework where applicable).
  • Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by transfer impact assessments.
  • UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
  • Binding corporate rules where in place.

6. Data Protection by Design and by Default (Article 25)

Privacy is embedded at the design stage of every research study. We conduct Data Protection Impact Assessments (DPIAs) for all high-risk processing activities, apply data minimisation, pseudonymisation and encryption, and review access controls on a quarterly basis.

7. Records of processing (Article 30)

We maintain records of all processing activities and make them available to supervisory authorities on request.

8. Security and breach notification (Articles 32–34)

We apply appropriate technical and organisational measures aligned with ISO 27001. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where feasible, and affected data subjects without undue delay where there is a high risk to their rights and freedoms.

9. Data Protection Officer

MSG Opinion has appointed a Data Protection Officer (DPO) who can be contacted at:

Email: privacy@msgopinion.ai
Postal correspondence: Available on request via the email above.

10. EU Representative

Where required by Article 27 GDPR, MSG Opinion has appointed an EU representative for data subjects and supervisory authorities located in the EU. Details are available on request.

11. Supervisory authority

Data subjects in the UK may lodge a complaint with the Information Commissioner's Office (ico.org.uk). Data subjects in the EU may contact the data protection authority in their country of residence.

12. Further information

This notice should be read alongside our Privacy Policy and Cookie Policy. For specific questions about a study you have taken part in, please use the contact details provided in that study's consent form.