GDPR compliance is our top priority and we encourage you to read through the FAQs below. Data protection and ensuring overall clients’ trust is at the core of Addiliate’s business principles. Accordingly, GDPR compliance is our top priority and we encourage you to read through the FAQs below.
Q: What is GDPR and who does it affect?
The General Data Protection Regulation (GDPR), which will apply from 25 May 2018, creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies that process personal data about individuals in the EU.
While many of the principles build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens individuals’ rights with respect to accessing and porting their data. It also establishes significant enforcement powers, allowing a company’s supervisory authority to seek fines of up to 4% of global annual revenue for certain violations.
Q: How does Addiliate prepare GDPR compliance?
As mentioned before Data protection is one of our core principles and we’ve thorougly prepared to meet GDPR requirements in the following way:
- Create a internal stakeholder group to assess our exposure. This group will consist of Tech, Advertiser and Sales and Management responsibles to have the full image.
- Create a Privacy Impact Assessment (PIA) to analyze our exposure to data.
- Based on the outcomes of the PIA w’ll revise our
- Documentation and procedures related to data
- Appoint responsible person for this topic called Data Protection Officer (DPO)
- Privacy Policies
- TC for Advertisers
- TC for Publishers.
- GDPR documentation.
- Afterwards w’ll communicate External adaptations to our partners
- Next is to make general documentation about our GDPR updates to put on our website
- Last is to provide a training to our teams so they are all aware of the implications.
Key legal bases
Under GDPR, there are a number of grounds to legitimise the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.
Basis Requirements and product implications
- Data processed must be necessary for the Service and defined in the contract with the individual
- Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
- People have a right to withdraw consent, which must be brought to their attention
- Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent/guardian
- Explicit consent is required for some processing (e.g., special categories of personal data)
- A business or third party must have legitimate interests which are not overridden by individuals’ rights or interests.
- Data processing must be paused if an objection is raised by an individual
Q: What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, an email address, phone number, or a computer IP address.
Q:Addiliate’s role as a data controller and a data processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. Addiliate is both a data controller as a data processer. As a controller relies on its advertisers and publishers to get consent for Addiliate to process such data as Addiliate is not in direct contact with users.
- Data controller
- When analyzing anything present in HTTP headers for quality control purposes and tracking. HTTP headers is a standard web protocol sent by default between any browser request and any server on the Internet. HTTP headers include IP addresses, User Agent, Operating System, Timestamp, Web browser, Carrier, Device Type, Device Brand, Device Model, Referrer and Requested page.
- When a publisher tracking pixel is implemented
- When Addiliate sends to the Publisher the Session ID or Publishers Cookie
- Data Processer when receiving information via
- The tracking pixel implemented on the advertiser site:
- When advertisers send us the Session ID or Addiliate Cookie
- Optional value for quality control
- When advertisers send us additional information related to quality and control like orderID, Amount, Currency, IP Address, Carrier .
- When publishers send us additional information related to quality and control.
- Optional value for traffic optimization
- When publishers send us additional information in the Sub-ID’s
- The tracking pixel implemented on the advertiser site:
How long will we save the data in our system and when do we delete data?
Our 2 basic purposes of data collection are
- Conversion tracking
- Our cookies expire standard at 30 days and we delete cookie data after that term as there is no further reason to track users.
- Quality and Control.
- Other user data is being kept for quality and control purposes and is only being deleted after a specific request.
Data is secured with Google cloud protection.
Is this data being stored on European servers?
Where we act as a data processor on an advertiser’s behalf, we will be relying on our advertiser’s legal basis as data controller for our processing of such data. Specifically Advertisers should request Consent for Pixels and other Personal Data for quality control. Addiliate uses Pixels (as defined above) to provide its services. Advertiser shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Advertiser places Addiliate Pixels so that Addiliate can provide its services lawfully through such properties. Advertiser shall not fire any Addiliate Pixels unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.
Where we act as a data controller on an publisher’s behalf, we will be relying on our publisher’s legal basis as data controller for our controlling of such data. Specifically Publishers should request Consent for analysis of HTTP headers. Addiliate uses information obtained from HTTP headers (as defined above) to provide its services. Additionally (if applicable) Publishers should request Consent for analysis of Tracking pixels. Publishers might use information obtained from Tracking pixels (as defined above) to provide its services. Publishers shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Publishers places Addiliate Tracking Links so that Addiliate can provide its services lawfully through such properties. Publishers shall not implement any Addiliate Tracking Links unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.
Where we act as a data processor on an publisher’s behalf, we will be relying on our publisher’s legal basis as data controller for our processing of such data. Specifically Publishers should request Consent for sending any Personal Data as a Sub-ID in the Tracking link or via any other means. Publishers shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Publishers places Addiliate Tracking Links so that Addiliate can provide its services lawfully through such properties. Publishers shall not implement any Addiliate Tracking Links unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.
Q: How does a consent work under GDPR?
The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Q: What do you have to do for GDPR?
To comply with the GDPR you must meet a number of requirements. These include but without limitation to:
- Only collect information that you need for a specific purpose.
- Seek consent to store the information you hold.
- Keep it secure.
- Allow the subject access to the information on request.
- Comply with a subject’s ‘right to be forgotten’ and erase personal data upon request.
Should you have further queries, please visit the EU GDPR website at: https://www.eugdpr.org/eugdpr.org.html.
Traveserra de Gracia 56 Atico 1, 08006 Barcelona