GDPR Compliance
What is the GDPR?
GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
What does Privacy-by-design mean?
Privacy-by-design is a concept which consists of taking into account data privacy throughout the whole engineering process.
What’s the Difference Between the GDPR and ePrivacy?
An easy and simple way to remember the difference is to think of the GDPR in the context of data protection and ePrivacy in the context of user privacy.
Is the system a Data Processor or Data Controller?
As an ad network and ad exchange, the system acts as a co-data controller, in conjunction with our publishers.
What is the difference between a Data Processor and a Data Controller?
This distinction is important for compliance and here are the exact definitions of each role:
Data Controller:
- A company/organization that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed, you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.
Data Processor
- A company/organization that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
What constitutes personal data?
Any information related to a natural person or "Data Subject", that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
There are two sub-categories in personal data:
- Personally identifiable information (PII) such as a person’s name, surname, phone number, etc.
- Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviors (for instance to serve the right ad to the right user at the right moment). Examples: cookie ID, hashed email, device ID ...
Note: Directly identifying information can be pseudonymized. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.
GDPR establishes a clear distinction between directly identifying information and pseudonymous data. It encourages the use of pseudonymous information and expressly provides that "the application of pseudonymization to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations".