Last updated on: 3rd July 2026

  • 20 October 2025

These terms are currently in effect as of 3rd July 2026. Except as otherwise set out in an active Order, if you used the Services on or after this date, these are the terms that govern your use of the Services. To view previous versions, use the drop-down menu above. To return to the legal page, click here.

BY ENTERING INTO AN ORDER OR OTHER AGREEMENT WHICH INCORPORATES OR REFERENCES THIS AGREEMENT, BY CLICKING TO ACCEPT THIS AGREEMENT OR ACCESSING OR USING ANY GWI SERVICES, YOU ARE ACCEPTING ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT. THIS AGREEMENT IS LEGALLY BINDING. IF YOU DO NOT AGREE TO THIS AGREEMENT, YOU MUST NOT USE ANY SERVICES.

 

CUSTOM ACTIVATIONS DATA PROCESSING AGREEMENT

This Annex 1 DPA to the relevant SOW describes Processing that GWI will perform on behalf of You as Controller in accordance with your written instructions in this Annex 1 and any other written instructions from time to time in order to provide the services described below as set out as required by Article 28(3) GDPR or provisions in applicable Data Protection Legislation.

 

Description

Details

1. Controller

The client entity entering into this Agreement as set out in the Order.

2. Processor

Trendstream Limited. (processor for you with regards to the processing activities in section 5(i) below)

3. Subject matter

Activation of personal data in a Platform targeting consumers whether or not known to Controller

4. Duration of Processing

Subscription Period

5. Purpose and nature of Processing

(i) GWI will build the Custom Segment(s) on your behalf and transfer the Custom Segment(s) to Panel Provider (in this instance shall be Dynata LLC (“Dynata”)) with the relevant Dynata Panel ID for each Custom Segment Respondent (“GWI Pseudonymized Data”).

(ii) Dynata will:

(a) process the GWI Pseudonymized Data to create a Modelled Segment (which will not include any GWIPseudonymized Data).

(b) Load the Modelled Segment(s) into the Platform.

(iii) Dynata will no longer be processing GWI Pseudonymized Data once the Modelled Segment(s) has/have been created and scaled.

(iv) Dynata will upload Dynata’s pseudonymised personal data in the form of the Modelled Segment(s) into the Platform indicated by you for you to purchase.

6. Processing activities

Viewing, receiving, accessing, storing, recording, modifying, correcting, enriching, deleting the data

7. Types of Pseudonymized Data

GWI Pseudonymized Data consists of the following:

(a) Segment name describing one or more attributes of GWI Respondents, based on GWI’s review of survey responses received from each GWI Respondent; and

(b) A Dynata panellist ID, which is only identifiable to Dynata

The attributes described by a segment name may include the following types of information about an individual:

(c) Characteristics

(i) Demographic

(ii) Economic and financial

(iii) Nationality and citizenship

(iv) Opinion

(v) Personal preference and interest

(vi) Information

(d) Habits and activities:

(i) Behaviour

(ii) Consumed resources

Dynata’s Pseudonymised Data consists of the following:

  1. Segment name describing one or more attributes of an individual based on your instructions;
  2. An ID;
  3. Characteristics:

(i) Demographic

(ii) Economic and financial

(iii) Nationality and citizenship

(iv) Opinion

(v) Personal preference and interest

(vi) Information

(d) Habits and activities:

(i) Behaviour

(ii) Consumed resources

8.Special category Pseudonymized Data

Pseudonymized Data may contain the following special category data. No special category data will be processed without Panellist consent.

9. Data Subjects

(a) Custom Segment Respondents (seed data)

(b) Dynata Modelled Segment respondents or where appropriate subprocessor Modelled Segment respondents.

SUB-PROCESSORS

The Processing activities required to perform the services described above  will be carried out using the Sub-processors in  the table below.

Name of

processors

Address of

processor

Territory

where

Processing

will be

carried out

Indicate whether Restricted International Transfer

Agreement (or “RITA”, for example Standard Contractual Clauses (“SCC”) or similar terms) are in place for

Processing of personal data in Third Countries (Yes / No)

Processing activities

GWI Sub-Processor

Dynata, LLC

 

The USA

Yes.

Processing activities are as set out in section 5(ii) above

Dynata Sub-Processor

Semasio

Semasio GmbH. Mönkedamm 11 20457 Hamburg

Germany

Yes.

Processing activities are as set out in section 5(ii) above

 

INTERNATIONAL TRANSFERS

GWI will ensure it has in place with Dynata (as subprocessor) terms that are materially the same as in this Annex 1. GWI shall include as appropriate: (a) where there are international transfers of a Custom Segment protected by the EU GDPR, the Standard Contractual Clauses (EU SCCs) annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eurlex.europa.eu/eli/dec_impl/2021/914 , as may be amended, superseded or replaced; or (b) for a restricted transfer subject to UK GDPR, the EU SCCs as modified by the "International Data Transfer Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).

There is no restricted transfer of personal data under Data Protection Legislation between GWI and you. GWI will flow down the obligations to Dynata to ensure: (i) the contract covers the instructions as set out in this Annex 1, and (ii) Dynata will where applicable in turn ensure that EU SCCs and UK Addendum are entered into between Dynata and its relevant sub-processors as required by the EU GDPR and UK GDPR.

GWI TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

GWI shall maintain appropriate technical and organisational measures (GWI Technical and Organisational Security Measures) and shall:

(a) provide such assistance as Controller may require for the purpose of Controller: (i) demonstrating compliance with their obligations under Data Protection Laws and (ii) protecting the GWI Pseudonymized Data against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or access to, GWI Pseudonymized Data;

(b) process the GWI Pseudonymized Data in accordance with the relevant Data Protection Laws;

(c) maintain confidentiality and integrity of GWI Pseudonymized Data, including but not limited to compliance with the Agreement;

(d) adopt suitable technical safeguards, such as the pseudonymization and encryption of GWI Pseudonymized Data where appropriate;

(e) adopt measures to ensure the ongoing, availability and resilience of GWI’s systems and services;

(f) adopt a process for regularly testing, assessing and evaluating the effectiveness of the GWI Technical and Organisational Security Measures for ensuring the security of the processing of GWI Pseudonymized Data;

(g) ensure all processing is subject to binding written contractual obligations which provide an adequate level of confidentiality over the GWI Pseudonymised Data;

(h) ensure adequate training on compliance has been provided as required.

Additional Processing Terms

For Controller Personal Data (i.e. processing activities described in this Annex 1) where GWI acts as processor, GWI will, and will contractually require its subprocessor Dynata to, comply with the following:

  1. only process the Controller Personal Data in accordance with this Annex 1 and any Controller documented instructions from time to time except where otherwise required by applicable law. GWI shall immediately inform the Controller if any instruction relating to the Controller Personal Data infringes any Data Protection Laws.
  2. In relation to the Modelled Segment GWI shall contractually require Dynata to at its own cost: (a) provide such information and assistance (including by taking all appropriate technical and organisational measures) as Controller may require in relation to the fulfilment of the Controller’s obligations to respond to requests for exercising the data subjects’ rights under applicable Data Protection Laws; and (b) provide such reasonable information and co-operation to the Controller as Controller reasonably requires (taking into account the nature of processing and the information available to GWI) to ensure compliance with the Controller’s obligations under Data Protection Laws, including with respect to: (i) security of processing (including with any review of security measures); (ii) data protection impact assessments (as such term is defined in Data Protection Laws); (iii) prior consultation with a data protection supervisory authority regarding high risk processing; and (iv) and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement.
  3. GWI shall at its own cost where related to Controller Personal Data: (a) record and refer all requests and communications received from data subjects or any data protection supervisory authority to Controller to pass on to Controller where appropriate; (b) not respond to any such requests or communications without the Controller’s express written approval unless and to the extent required by applicable law; and (c) maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of Controller.
  4. GWI will not process and/or transfer, or otherwise directly or indirectly disclose, any Controller Personal Data in or to any country or territory outside of the UK, European Economic Area (EEA) or the US without the Controller’s prior written authorisation or as agreed in this Annex 1.
  5. GWI will allow and provide reasonable assistance as required for an audit by the Controller, with prior reasonable written notice, as this relates to Controller Personal Data.
  6. GWI shall resolve, at its expense, all data protection and security issues discovered or reported to GWI that reveal a breach or potential breach by GWI of its obligations under the Agreement.
  7. GWI shall without undue delay (and in any event within 72 hours): (i) notify Controller if it becomes aware of any personal data breach in respect of any Controller Personal Data; and (ii) provide the information as Controller reasonably requires in relation to the personal data breach to ensure Controller can report the personal data breach to a data protection supervisory authority (such as the Information Commissioner’s Office) and to notify affected data subjects as required under Data Protection Laws.
  8. GWI shall not make or authorise any announcement or publication about any personal data breach without the agreement of the Controller.

GWI will, at the Controller’s written request or after termination of the Agreement: (i) delete the Modelled Segment and in any event within 30 days; and (iii) also delete existing copies (unless storage of any data is required by applicable law).