GDPR

On 25 May 2018, a new Personal Data Protection Act will be implemented across Europe. The new act is commonly referred to as the ”GDPR”. This means, among other things, that any party that handles and shares personal data needs to document its processing of personal data, keep track of all personal data, delete personal data upon request and update agreements regarding the handling of personal data etc.

Advertisers

Adtraction has prepared and distributed Data Processing Agreements which specifically deals with the exchange of data between Adtraction and Advertisers. Please contact gdpr@adtraction.com if you represent an Advertiser and have not received such Data Processing Agreements.

Adtraction as Data Controller and the Advertiser as Data Processor

Adtraction shares some personal data with Advertisers that can be seen in Adtraction’s different reports when the Advertiser is logged into Adtraction’s system. Therefore, Adtraction and the Advertiser need to enter into a Data Processing Agreement where Adtraction is Data Controller and the Advertiser is Data Processor.

The Advertiser as Data Controller and Adtraction as Data Processor

The Advertiser also shares information with Adtraction, which under some circumstances may be personal data, e.g. order number for each transaction. This information is important for analysis of customer value and marketing spend etc. Therefore, Adtraction and the Advertiser need to enter into an agreement where the Advertiser is Data Controller and Adtraction is Data Processor.

Publishers

Adtraction has updated the Publisher Agreement. The Publisher Agreement comprises the following exhibits.

Exhibit 1 – Personal Data Processing Agreement. Adtraction collects and stores personal information about individuals who register as Publishers via Adtraction’s website. This data processing is done in accordance with Exhibit 1.

Exhibit 2 – Data Processing Agreement. This Data Processing Agreement applies to every occasion when the Publisher is processing personal data for which Adtraction is responsible under the Swedish Personal Data Act (PDA) and/or the GDPR (e.g. order number). Under this agreement, Adtraction is Data Controller and the Publisher is Data Processor.

Exhibit3 – Data Processing Agreement. This Data Processing Agreement applies to every occasion when Adtraction is processing personal data for which the Publisher is responsible under the PDA and/or the GDPR (the Publisher is controller for e.g. data collected from the Publisher’s visitors). Under this agreement, the Publisher is Data Controller and Adtraction is Data Processor.

Publisher’s processing of personal data

Publishers must adopt a Privacy Policy and present it to their visitors. The Privacy Policy should comprise, among other things, which personal data that is collected, why the personal data is collected, the legal basis for processing personal data, if such personal data is transferred to a third country outside the European Economic Area, the visitors’ rights and a description of the Publishers affiliate marketing activities.

Publisher’s legal basis for processing personal data

Under the GDPR, processing of personal data is only lawful to the extent that certain criteria are met, please see article 6 of the GDPR for more information.

Adtraction is not in a position to provide legal advice to Publishers regarding how to process personal data under the GDPR. However, we have observed that Publishers use the following legal basis to process personal data:

  1. The Publisher obtains consent from the Visitor to process his or her personal data (the legal basis is Article 6 (1) sentence 1 lit. a GDPR):
  2. There is a legitimate interest for the Publisher to process personal data (the legal basis is Article 6 (1) sentence 1 lit. f GDPR):

If you are not sure which legal basis you have for processing personal data, Adtraction recommends that you to seek legal advice. The collection of e-mail address, name etc. are examples of processing that in many cases require visitors consent.

Examples of what to include in Publisher’s Privacy Policy

Privacy Policy – Legitimate Interest

If you as a Publisher collect IP-addresses and similar information, you should include information about that in your Privacy Policy. An example of information to provide visitors could be as follows (if the legal basis for data collection is Article 6 (1) sentence 1 lit. f GDPR).

Collection of personal data when you visit our website

If you are only using the website for information and do not register or transmit information to us in any other way, we only collect the personal data which your browser transmits to our server. If you wish to view our website, we collect the following data that are technically necessary for us to display our website to you and guarantee its stability and security (the legal basis is Article 6 (1) sentence 1 lit. f GDPR):

  • IP address
  • Date and time of the enquiry
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Quantity of data transferred in each case
  • The website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software

Privacy Policy – Visitor Consent

Adtraction has not included examples of Privacy Policy writings for processing of personal data based on visitors’ consent. Please consult your legal adviser for writings.

Information about Affiliate Marketing

Publishers should also inform their visitors of their affiliate marketing activities. Below is an example of a text that some Publishers use for this purpose.

[Publisher name] is a participant in different affiliate advertising programs made by Adtraction Marketing AB, designed to provide a means for sites to earn advertising fees by advertising and linking to Advertisers.