Emodo Complies with the GDPR
In May 2018 the European Union’s General Data Protection Regulation (GDPR) went into force after discussion from every industry forum that does business in the European Economic Area (EEA). As the date rapidly approaches the concepts of integrity, transparency, and responsibility of data must characterise the way of the digital advertising ecosystem in this new age of regulatory oversight.
The GDPR and associated regulations give clear direction not only about what is considered Personal Data, but what roles and responsibilities the companies that collect data have, in what situations they can transfer, and how they preserve the rights of data subjects. In the dynamic functions of the Programmatic Advertising ecosystem, the roles and responsibilities of the participating companies must be clearly defined and a thorough investigations into all aspects the collection and processing of Personal Data must be followed. Emodo has made the commitment to not only protect Personal Data and the rights of subjects, but to create ongoing processes by which all data is accounted, users have transparency as to how their data is handled, and contractual commitments to managing data securely and responsibly are followed by us and our contracting partners. As a processor of large volumes of Personal Data, Emodo recognizes the responsibility to respect privacy rights and to put in place appropriate standards of data protection.
We would like to disclose our types of data, compliance program, privacy safeguards, and data practices. It describes the tools and artifacts we utilize to ensure that all location, subscriber attributes, segments, and browsing history is collected, stored, transferred and deleted in accordance with the will of the subject, and the regulations of the region. This type of organizational effort allows Emodo to be a trusted partner in delivering compliant targeted advertising.
Emodo collects data from Data Controllers and Data Processors within the Programmatic Advertising ecosystem. Each of the three types of data have different purposes within our offers. With those differences, all the contractual relationships have, at their core, data privacy and protection principles in the way we collect, store, and manage those data sources.
Emodo processes many types of data to deliver targeted advertising solutions. Across the data categories listed below, Personal Data is present as a subset of the data type. Each element of Personal Data requires a consent mapping as part of a due diligence exercise to determine the entity who receives and implements the subject’s consent.
For any of the Personal Data in the categories below, especially Location and Session data, the subject’s consent is required not only to collect and utilize the data, but also for selecting segments based on behavioral traits. Explicit and unambiguous consent is required by a known source to allow compliance with the GDPR Article 6: Lawfulness of Processing. All organizations in the advertising ecosystem are now subject to this rule and to achieve this, they must know the type of data being processed, the ultimate source of that data, and the ways any data will be updated and maintained by the data subject.
The following data types are what Emodo uses in the Advertising Ecosystem:
The attributes in this data type typically include gender and age range. This data is pseudonymized by Advertising ID.
This data type typically includes attributes such as subscriber wireless plan name, plan type and zip code. This data is pseudonymized by Advertising ID.
Location data defines the geographic location of a device at a point in time. There are multiple data sources to activate location data for monetization such as GPS signal enabled by Apps, Wi-Fi networks and Cellular networks. This data type typically includes attributes such as latitude, longitude, horizontal accuracy and timestamp. This data is indexed by Advertising ID.
Session Activity Data
Session activity data is derived from anonymizing and aggregating browsing activity data of the user. This type of data allows Emodo to create audience segments based on online interests. This data type typically includes attributes such as URL, timestamp, and user agent. This data is pseudonymized by Advertising ID.
Compliance with the GDPR
The data compliance program at Emodo is core to the way we do business. Below we detail various compliance mechanisms that are key to the GDPR compliance strategy implemented at Emodo. With each compliance area, our long-term commitment to ongoing integration of the principles of the GDPR is evident. In each privacy mechanism described below, we meet or exceed the compliance standard outlines in the EU regulation.
Contractual Roles and Responsibilities
The EU Data Protection Law outlines the responsibilities and roles of organizations, such as Emodo, that handle Personal Data involving an EEA based data subject.
These roles are defined in GDPR Article 4 as “Controllers” and “Processor”. What control an organization has in relationship to Personal Data is the determining factor here. The “Controller” is an organization who determines the purposes for which, and the way in which, Personal Data is processed. By contrast, a “Processor” is one who processes Personal Data on behalf of the Data Controller.
In all its contracts related to digital advertising, Emodo is a “Processor” of Personal Data, either on behalf of the Data Controller, or as a Sub Processor on behalf of other Data Processors. In being a Data Processor, we have committed contractually to GDPR compliant clauses which:
- Qualify our contracts as GDPR compliant where roles and responsibilities are defined and transparent in compliance with GDPR Article 24 – 43; and
- Have a defined, explicit scope for processing the Personal Data in conjunction with the Data subjects’ privacy rights and consents as managed by the Data Controller.
Data Processing Addendums (DPA)
The contractual clauses detail the responsibilities of Emodo as a Data Processor are in Data Processing Addendums (DPA) and included in all contracts where Personal Data is collected and processed. When we are processing data that includes Personal Data for EEA subjects, a DPA must be signed with the Data Controller or Data Processor that we collect the data from. This is a nonnegotiable requirement. If an organization in the Ad ecosystem cannot commit to / sign the provisions of a GDPR compliant DPA (as defined by Article 28), then Emodo will not process Personal Data on their behalf.
The content of the Data Processing Addendums includes security measures we use to collect, store, and use data in the specific product and services described in the contract. It also clearly defines the roles and responsibilities for each party in handling Personal Data belonging to EEA subjects. It also commits both parties to following the regulations of the GDPR and other applicable privacy regulations as a condition for establishing a business relationship. The DPA also gives the Data Controller the right to audit, change, and eliminate the processing we do. This is important for Advertisers as this ensures that all data maintained by Ericsson Emodo has a transparent path to the data subject, eliminating unknown data sources, and creating a transparent path to legal processing.
Consent Management and Processing
The ability to collect and maintain consent in compliance with Article 7, requires who have the ability and requirement to obtain clear, transparent, and compliant consent from their data subjects. As a contractual condition of our DPAs, we require that Controllers are held responsible for the consent of the data subjects as expressed in the required clauses detailed in Article 28. In addition, Emodo also can accept and act on Consent Management Platform (CMP) that are sent via RTB stream By Data Controllers, per the recently released IAB OpenRTB v3.0 standard.
Ericsson Emodo participates in the IAB Europe’s Transparency & Consent Framework.
The IAB website is available for review at http://www.advertisingconsent.eu/
Privacy by Design and Default (DPIA, Retention, Evaluation, and Data Inventories)
The GDPR mandated Privacy by Design and Default (PbD) in conjunction with Article 25 is a requirement for Controllers only, yet, we, as a Data Processor, still require PbD methods for all our products in the EEA.
These PbD processes include the following:
- Evaluating all data we collect for applicable regulatory and business integrity compliance (Article 5)
- Completing Data Protection Impact Assessment (DPIA) for all collected data in the EEA (Article 35)
- Maintaining a data inventory of all data flows and data elements/types used in the production of audience segments and location verification on behalf of Data Controllers and Processors. This includes data at use, motion, and rest (Article 30)
- Implementing processes to ensure data retention limits are implemented Article 5(1)(e)
- Eliminating all Personal Data belong to Data Controller or Processor when the contract is no longer in force (DPA Clauses Article 28)
- Continually evaluating appropriate data security measures for the regulatory and contract obligations and data types such as encryption, pseudonymization, and appropriate firewalls (Article 32)
Data Subject Rights
The GDPR gives data subjects the right to consent, remove consent, acquire, correct, and delete (Article 12 – 23) all forms of Personal Data an organization holds on them. Emodo has developed procedures and process to address all rights of the user. As we covered our methods for consent management in a previous section, we also have methods to find and act to the subjects wishes for any personal data we may have by Advertising ID, IP Address, or other pseudonymous indicators and to communicate with data source partners when the situation requires.
The GDPR, unlike the current Data Protection Directives, have an extra territorial scope in that they include compliance from organizations that may not be in the EEA, but are involved in the collection of Personal Data on EEA data subjects. The GDPR defines data subjects not by citizenship or residency, but as any person in the EEA. This could mean a visitor to the EEA region on a mobile device, or a website or any application or website that is accessible to EEA subjects. Emodo has evaluated these scenarios and has created ways to identify and flag user data that is applicable to the GDPR regulations. We have spent much of the last year defining process methodologies that apply to any data collected in the EEA, regardless of where our partner or customer may be physically located. This allows customers to know that all data used for their campaigns is handled appropriately. Emodo stores and process all data obtained from EEA subjects in a regional data center.