skip to main content
Consumer Data Processing Agreement

Consumer Data Processing Agreement

Last Updated: November 13, 2025

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the written or electronic agreement (“Agreement”) between Gallup and a Consumer who purchases services directly from Gallup. If any conflict arises between the terms of the Agreement and this DPA, the terms of this DPA will control as they relate to data processing by Gallup. Gallup and the Consumer may each be referred to as a “Party” and collectively as “Parties.” For clarity, if you or your organization enter into a separate DPA for contracted services, that DPA governs those services.

  1. Definitions
    1. “Controller” means the entity that, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
    2. “Data Protection Laws” means all applicable legislation relating to data protection and privacy that applies to the respective Party responsible for Processing Personal Data under the Agreement, including, without limitation, the European Data Protection Laws, as amended, repealed, consolidated, or replaced from time to time.
    3. “Data Subject” means the identified or identifiable individual to whom Personal Data relates.
    4. “European Data” means Personal Data subject to the protection of European Data Protection Laws.
    5. “European Data Protection Laws” means data protection laws applicable in the European Economic Area and the United Kingdom, including Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data (“EU Data Protection Regulation” or “GDPR”) and the GDPR as it forms part of the United Kingdom domestic law under Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”).
    6.  “Personal Data” means information relating to an identified or identifiable individual.
    7. “Personal Data Breach” means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
    8. “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, or erasure of Personal Data.
    9. “Processor” means the entity that Processes Personal Data on behalf of the Controller.
    10. “Sub-processor” means an entity a Party engages to provide Processing services to help fulfill the Party’s obligations under the Agreement or this DPA when such entity Processes Personal Data.
  2. Role of the Parties
    For this DPA, Customer acts as the Controller (or its functional equivalent under applicable Data Protection Laws), and Gallup acts as the Processor (or its functional equivalent under those same laws). Within the scope of the Agreement and this DPA, both Parties will comply with all applicable Data Protection Laws related to Processing Personal Data.
  3. Gallup’s Processing of Personal Data
    Gallup will handle all Personal Data in accordance with this DPA and will:
    1. Act only on written instructions from Customer, as set forth in the Agreement.
    2. Ensure that any personnel authorized to Process Personal Data are subject to appropriate contractual and/or statutory confidentiality obligations with respect to the data.
    3. Maintain commercially reasonable technical and organizational security measures and procedures designed to safeguard and protect the security, confidentiality, and integrity of Personal Data.
    4. Notify Customer without undue delay, and in no event later than 72 hours, after Gallup or its Sub-Processors become aware of any Personal Data Breach and provide timely information about the breach as it becomes known or as reasonably requested by Customer. At Customer’s request, Gallup will promptly provide reasonable assistance to help Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under applicable Data Protection Laws.
    5. Provide reasonable assistance to help Customer respond to requests from Data Subjects who seek to exercise their rights under applicable Data Protection Laws.
    6. Engage any Sub-Processors to process Personal Data only after entering into an agreement requiring them to meet obligations substantially equivalent to those imposed on Gallup under this DPA. Gallup maintains an updated list of all Sub-Processors.
    7. Delete all Personal Data at Customer’s direction unless retention of such data is required by law.
  4. Security Reports and Audits
    Gallup uses external auditors to verify the adequacy of its security measures, including the security of the physical data centers from which Gallup provides the Services. This audit will: (a) occur at least annually; (b) follow ISO 27001 standards or such other standards that are substantially equivalent; (c) be conducted by independent third-party security professionals selected and paid by Gallup; and (d) result in an audit report (“Report”), which constitutes Gallup’s Confidential Information. At Customer’s written request, and provided that the Parties have a valid NDA in place, Gallup will make the Report available so that Customer can reasonably verify Gallup’s compliance with its obligations under this DPA.
  5. Additional Provisions for European Data
    1. The Parties agree to provide each other with commercially reasonable assistance in any data protection impact assessments or prior consultations with supervisory authorities or other competent data protection authorities, as required by European Data Protection Laws.
    2. If provisions of the services require the transfer of European Data to countries that the relevant authorities have not recognized as providing an adequate level of protection of Personal Data, the Parties acknowledge and agree that such transfers will take place the transfer mechanisms described below.
      1. Personal Data transferred from the European Economic Area, the Standard Contractual Clauses (SCCs) issued under the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj, (“EU SCCs”), apply and form part of this DPA. For purposes of the EU SCCs, they will be deemed completed as follows, to the extent applicable:
        1. Module 2 (Controller to Processor) applies.
        2. Clause 7 (the optional docking clause) is not included.
        3. Under Clause 9 (Use of Sub-Processors), the Parties select Option 2 (General Written Authorization).
        4. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable.
        5. Under Clause 13 (Supervision), the Parties will follow the rules for identifying such authority under Clause 13 of the EU SCCs and, to the extent legally permissible, select the Irish Data Protection Commission. Where the Data Exporter is established in the UK, the Information Commissioner’s Office serves as the competent Supervisory Authority.
        6. Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows third-party beneficiary rights). The Parties select the law of Ireland.
        7. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.
        8. Annex I, Part A — List of Parties: The data exporter is Customer, and the data importer is Gallup.
        9. Annex I, Part B — Description of Transfer: The categories of data subjects include employees of Customer. The Personal Data transferred may include name, title, business contact information, and survey responses. Collection and processing of special category data is not required in connection with the provision of services. Transfers will be made for the duration that Gallup processes Customer’s data. The nature of Processing and purposes for transferring data include the provision of services by Gallup. Gallup will retain the data as described in Section 3.7 of this DPA.
        10. Annex II, Technical and Organizational Measures to Ensure the Security of Data: As described in Section 3.3 of this DPA.
        11. Annex III, List of Sub-Processors: As described in Section 3.6 of this DPA.
        12. By entering into this DPA, the Parties are deemed to have signed the EU SCCs.
  6. General Provisions
    1. Term. This DPA remains in full force and effect while Gallup processes Customer’s data.
    2. Severability. If any individual provision of this DPA is found invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.


Gallup https://www.gallup.com/shared/698111/consumer-data-processing-agreement.aspx
Gallup World Headquarters, 901 F Street, Washington, D.C., 20001, U.S.A
+1 202.715.3030