Due to the entry into force of the European General Data Protection Regulations (GDPR), AdRiver (“we,” “us,” “our”) hereby states its position regarding the application of this document to the services provided by our company.
What is personal data according to GDPR?
According to the GDPR, definition of personal data is quite vague. The GDPR determines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
In this, the GDPR establishes a distinction between two different categories of personal data:
Direct identification of information: a subcategory of personal data that allows direct identification of a person (for example, name, surname, social security number, etc.).
Pseudonymous data: a subcategory of personal data that allows selecting individual behavior without direct specification of the data subject (for example, cookie ID, hashed email, device ID, etc.).
The pseudonymous data itself does not allow identification of a specific person. By means of such a data it is possible to select such a person from a group, in particular, based on online identifiers such as an IP address, cookie identifiers or mobile advertising identifiers.
According to the GDPR, pseudonymisation of personal data can reduce risks for data subjects and help controllers and processors to fulfill their data protection obligations. Pseudonymisation means that personal data is processed “in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
The role of AdRiver according to GDPR
AdRiver together with its customers acts as a joint controller.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
Definition of the joint controllers status
Being joint controllers does not necessarily mean that each side is responsible for everything. The Article 26 of the GDPR determines the scope of responsibility in the agreement of controllers.
Customers are responsible for user information and obtaining consent in countries where it is mandatory. This is justified by the fact that AdRiver does not have control over the denial of confidential treatment and the websites of customers.
AdRiver is directly responsible for all other aspects related to its technologies and services (data security and retention, user rights, etc.). This is justified by the fact that customers do not control our data centers or security processes.
Application of the GDPR to the services that AdRiver offers
The GDPR is applied to digital marketing services that use tracking technologies to provide targeted advertising. By providing services to our customers, we do not collect or process personally identifiable information (PII), such as:
- postal addresses,
- phone numbers.
We also do not receive any additional data from third parties, which, along with the data collected by us, would allow us to identify any person.
Data collected by AdRiver does not allow us to directly identify a user as this data is pseudonymized at the time of collection. Thus, from the very beginning, our data processing activities pose a significantly lower risk of violation of the privacy rights of data subjects in comparison with the processing of PII.
What data about Internet users do we collect?
AdRiver recognizes that the data collected for its services is pseudonymous data associated with visiting a website. All user data that we collect is transmitted using the installed AdRiver tag.
The AdRiver tag transmits the information about visiting a webpage.
AdRiver uses several types of tracking tags. For the majority of e-shops these are:
- floodlight tag (informs us about being on the website);
- order tag (informs us about the start of order, for example, by pressing the button “Checkout”)
Tags can also transmit:
- good/category identifiers, seen by user,
- good identifiers, added to bag,
- identifiers of goods bought,
- hashed CRM identifier for cross device retargeting. AdRiver uses modern data hashing algorithms to pseudonymize data.
We collect as well:
- user agent: users’ device type and browser type,
- referrer: URL, where the tag has been installed,
- timestamp: time and info about the installed tag,
- IP-address: to identify/geolocation,
- сookie or mobile advertising identifier for mobile apps, where сookie files are not supported. AdRiver services use randomized cookie tokens that allow us to identify a user relative to other Internet users, but we can not make a direct identification of such a user.
Controller Data Protection Officer: Nevenchannyy Nikita “firstname.lastname@example.org”