On 25 May 2018, the EU General Data Protection Regulation (“GDPR”) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
The regulation could have a profound impact on the programmatic advertising industry. We covered those bases in a previous blog post.
To learn more about the GDPR from an ad fraud and privacy perspective, check out our Q&A with Jay Seirmarco, our SVP of Operations and Legal Affairs.
This post will focus on Pixalate's role as it relates to the GDPR. We will also answer some of the questions we are most frequently asked.
Yes, Pixalate is GDPR-compliant
Pixalate is compliant with the GDPR. We have taken significant administrative and technical measures to ensure our GDPR compliance. Here's a brief list:
- We have confirmed our legal basis for processing of personal data in accordance with the GDPR
- Assessed and improved our data governance infrastructure
- Identified our key compliance stakeholders
- Adopted business partner qualification processes
- Implemented and documented our information security measures
- Established processes to deal with potential breaches
- Adopted the Privacy Shield frameworks for our transfers of data from the European Economic Area (EEA) to the US
Fraud prevention is Pixalate's legal basis for processing personal data
Article 6 of the GDPR provides a right to process personal data to further legitimate interests, provided that doing so will not infringe adversely upon the fundamental rights and freedoms of individuals.
Recital 47 of the GDPR states expressly that the “processing of personal data strictly necessary for the purposes of preventing fraud” constitutes a legitimate interest, and such provision serves as our legal basis for the processing of personal data under the GDPR.
What about the people we work with? We've covered that base, too. Our business partner qualification is aligned with our fraud prevention mission
In order to protect the digital advertising supply chain and prevent fraud, we limit our business relationships to legitimate enterprises that demonstrate a shared interest in detecting and filtering invalid traffic (“IVT”). Each vendor that we utilize to process personal information goes through our rigorous selection process.
For more information on this process, please see our GDPR page: http://www.pixalate.com/gdpr/
The European Commission model contracts and the EU-US and Swiss-US Privacy Shield Frameworks
The GDPR provides several mechanisms to facilitate transfers of personal data outside of the EU. The European Commission shared model contracts for the transfer of personal data to non-EU countries.
Additionally, there exists the EU-US and Swiss-US Privacy Shield frameworks, which provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US.
We rely upon both model contracts, and certification under the Privacy Shield frameworks, as bases for US-based processing of personal data regarding EU data subjects.
We stay on top of the latest trends and undergo an annual audit
We are accredited for sophisticated invalid traffic (SIVT) detection and filtration for desktop and mobile web impressions by the Media Ratings Council (“MRC”). In connection with our MRC accreditation, an independent auditing firm performs testing procedures annually, including information technology (“IT”) security procedures pursuant to COBIT. We also leverage the Information Systems Audit and Control Association (ISACA)’s Privacy Principles for GDPR Compliance, which are aligned with COBIT and GDPR Article 35.
For more information, please see our GDPR page: http://www.pixalate.com/gdpr/
Want more data-driven insights? Sign up for our blog!