What is GDPR
GDPR stands for General Data Protection Regulation. It is being introduced by the EU as an update to the 95 Privacy Directive. The GDPR regulates how companies collect and process personal data, what they can and cannot do with that data, and stipulates certain penalties for non-compliance. Companies that collect and/or process personal data from EU data subjects must be compliant with GDPR by 25th May 2018.
This document is not intended to act as legal advice, or even to dictate the steps our clients and partners should take to be in compliance with the GDPR. Rather, the goal of this document is to share some of the steps that Zaius is taking as we move towards GDPR compliance. GDPR will necessitate a significant amount of cooperation across the digital media marketplace, and Zaius stands ready to be a privacy safe partner.
Role of Zaius & GDPR
The GDPR adopts a broad definition of personal data, including email address, postal address and pseudonymous data such as IP address, cookie ID and mobile advertising ID – and any data point attached to such data. And Zaius processes the data on the platform only as directed by our clients. Accordingly, Zaius collects, processes and stores personal data via the platform as a data processor. Unlike a data controller, which is the entity that owns and controls personal data under EU data protection law, the data processor’s role is process data only as instructed by the data controller.
Relevant personal data for the Zaius Platform
Zaius typically collects and processes the following types of personal data on its platform: email addresses, telephone numbers, IP address, mobile advertising ID, and log file information regarding the mobile devices of the customers and prospective customers (collectively, Internet users) of clients of Zaius. Zaius may create profiles based upon this log file information and may obtain additional profiles from third-party partners upon the request of our client. While we are reviewing the data we collect pursuant to conducting a data privacy impact assessment, at this time we believe that none of these profiles are considered sensitive under applicable EU law. Zaius clients may place additional data onto the platform. As data controllers, clients are ultimately responsible for evaluating the data placed onto the platform and are strongly encouraged (and likely required by GDPR) to conduct their own privacy impact assessments.
What data processing mechanism will Zaius use for GDPR?
Zaius Network data storage
Based on the nature, scope, context and purposes of Zaius’ processing activities as well as the risk and severity for the rights and freedoms of Internet users, the personal data processed on the Zaius platform will always be subject to technical and organizational measures affording a high level of protection to such data.
Data Access and Deletion Rights
Data Retention and other Data Governance Issues
Zaius will store personal information collected via the network for a reasonable period of time given the level of sensitivity of the data collected. While we of course don’t anticipate having a data breach, in the event that there is a security incident, Zaius will provide notice of and fully collaborate in the resolution of the incident as required under GDPR. Zaius will maintain records on personal data processing, including a record of all categories of processing activities carried out on behalf of the client.
Zaius will have the requisite contractual provisions including data transfer addendums with clients and partners which outline responsibilities and technical and operational measures, and apportion liability.
Zaius transfers the personal data we process to the U.S. for processing and will leverage our participation in the Privacy Shield Program. We will also utilize model contractual clauses upon the request of clients.
Zaius, Zaius’ Partners and SubProcessors
Zaius will make a list of its subprocessors available on its website or web interface and will update such list when needed. If the subprocessing activities include transfer of personal information to third countries outside the EU, this document will also contain information on such transfers and the safeguards put in place by Zaius.
Data Protection Officers and Representatives
GDPR requires companies that engage in “regular and systematic monitoring” of data subjects “on a large scale” to appoint a data protection office. Accordingly, Zaius is in process of engaging a Data Protection Officer and Representative to (among other things) help with our privacy impact assessments, monitor our privacy program and act as a point of contact for data subjects and supervisory authorities.
EFFECTIVE DATE: November 20, 2017; Updated: November 20, 2017.
For all questions, please contact firstname.lastname@example.org.