Compliance
GDPR & Data Privacy Compliance
Last updated: July 2026
Our Commitment to Data Privacy
At Yamada Research Co., Ltd., we take the privacy and protection of personal data seriously. As a global research panel provider operating across 60+ countries — including markets within the European Union and European Economic Area — we are committed to full compliance with the General Data Protection Regulation (GDPR) and applicable local data protection laws.
Our compliance framework governs how we collect, store, process, and use personal data from research participants, clients, and all individuals who interact with our panels and services.
What Data We Collect
We collect personal data only for legitimate research purposes. This may include:
- Demographic information — age, gender, country of residence
- Professional information — job title, industry sector, employer type
- Health information — self-reported health conditions, professional medical credentials (Healthcare Panel only)
- Contact information — email address, phone number (for panel communication)
- Survey responses — opinions, behaviours, and preferences collected during research studies
We do not collect sensitive personal data beyond what is necessary for the specific research purpose, and we never sell personal data to third parties.
Legal Basis for Processing
Under GDPR, we process personal data on the following lawful bases:
Consent
All panel members provide freely given, specific, informed, and unambiguous consent before participating in any research. Consent is recorded and can be withdrawn at any time.
Legitimate Interests
In certain cases, we process data based on legitimate interests — such as maintaining panel quality, preventing fraud, and ensuring research integrity — where these do not override the rights of the individual.
Contractual Necessity
Where we process data as part of a contractual obligation with clients or partners, we do so only to the extent necessary to fulfil that obligation.
Your Rights Under GDPR
If you are a resident of the EU, EEA, or any jurisdiction with equivalent data protection rights, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion of your personal data (“right to be forgotten”)
- Restriction — request that we limit how we use your data
- Portability — request your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw Consent — withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at: privacy@ymdonline.com. We will respond to all requests within 30 days in accordance with GDPR requirements.
Data Retention
We retain personal data only for as long as necessary for the purpose it was collected:
| Data Type | Retention Period |
|---|---|
| Panel member profiles | Duration of panel membership + 12 months |
| Survey responses (anonymised) | Up to 5 years for research validity |
| Client contact data | Duration of contract + 3 years |
| Consent records | 5 years |
Upon expiry of the retention period, data is securely deleted or anonymised.
Data Security
Yamada Research implements industry-standard technical and organisational measures to protect personal data, including:
- Encryption of data in transit and at rest
- Access controls and role-based permissions
- Regular security audits and vulnerability assessments
- Staff training on data protection and privacy obligations
- Incident response procedures in line with GDPR breach notification requirements (72-hour notification)
International Data Transfers
As a global panel provider, data may be transferred across borders. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements (DPAs) with all clients and subprocessors
- Assessment of third-country adequacy decisions where applicable
Cookies & Website Data
Our website uses cookies to improve user experience and analyse site performance. We use only:
- Essential cookies — required for the site to function
- Analytics cookies — to understand how visitors use our site (with consent)
You can manage or disable cookies at any time through your browser settings. Please note that disabling essential cookies may affect how the website functions.
Data Processing Agreements
For clients who engage Yamada Research as a data processor, we offer fully executed Data Processing Agreements (DPAs) that define:
- The scope and purpose of data processing
- Technical and organisational security measures
- Sub-processor disclosure and approval
- Data subject rights obligations
- Breach notification procedures
To request a DPA, contact: legal@ymdonline.com.
Our Data Protection Officer
Yamada Research has designated a Data Protection Officer (DPO) responsible for overseeing our GDPR compliance programme.
Data Protection Officer
Yamada Research Co., Ltd.
209 Comet Building, 35/5-7 Krungthonburi Road,
Klongtonsai, Klongsan, Bangkok 10600, Thailand
Complaints & Regulatory Authorities
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, this is your national Data Protection Authority (DPA).
In Thailand, data protection is governed by the Personal Data Protection Act B.E. 2562 (PDPA), enforced by the Office of the Personal Data Protection Committee (PDPC).
Policy Updates
This policy was last updated: July 2026.
We review and update this policy regularly to reflect changes in law, regulation, and our business practices. Material changes will be communicated to panel members and clients directly.
