What is GDPR

GDPR stands for General Data Protection Regulation. It is being introduced by the EU as an update to the 95 Privacy Directive. The GDPR regulates how companies collect and process personal data, what they can and cannot do with that data, and stipulates certain penalties for non-compliance. Companies that collect and/or process personal data from EU data subjects must be compliant with GDPR by 25th May 2018.

This document is not intended to act as legal advice, or even to dictate the steps our clients and partners should take to be in compliance with the GDPR. Rather, the goal of this document is to share some of the steps that Zaius is taking as we move towards GDPR compliance. GDPR will necessitate a significant amount of cooperation across the digital media marketplace, and Zaius stands ready to be a privacy safe partner.

Role of Zaius & GDPR

The GDPR adopts a broad definition of personal data, including email address, postal address and pseudonymous data such as IP address, cookie ID and mobile advertising ID – and any data point attached to such data. And Zaius processes the data on the platform only as directed by our clients. Accordingly, Zaius collects, processes and stores personal data via the platform as a data processor. Unlike a data controller, which is the entity that owns and controls personal data under EU data protection law, the data processor’s role is process data only as instructed by the data controller.

Relevant personal data for the Zaius Platform

Zaius typically collects and processes the following types of personal data on its platform: email addresses, telephone numbers, IP address, mobile advertising ID, and log file information regarding the mobile devices of the customers and prospective customers (collectively, Internet users) of clients of Zaius. Zaius may create profiles based upon this log file information and may obtain additional profiles from third-party partners upon the request of our client. While we are reviewing the data we collect pursuant to conducting a data privacy impact assessment, at this time we believe that none of these profiles are considered sensitive under applicable EU law. Zaius clients may place additional data onto the platform. As data controllers, clients are ultimately responsible for evaluating the data placed onto the platform and are strongly encouraged (and likely required by GDPR) to conduct their own privacy impact assessments.

What data processing mechanism will Zaius use for GDPR?

While it is ultimately the responsibility of our clients (who generally fit into the category of data controller) to determine which processing mechanism is appropriate for them, Zaius is putting into place pages which may be used by our clients to obtain consent. Clients may determine (in consultation with their own legal counsel) that “legitimate interest” is viable processing mechanism. Regardless, Zaius will be in position to support whichever processing mechanism chosen by each client. Clients will need to inform visitors to their digital properties in detail of such basis for processing in their privacy policy and provide an easy accessible and easy to use opt-out mechanism for a user to withdraw their consent. Zaius will provide mechanisms that enable users to withdraw consent. When a user visits a digital property where the Zaius platform is enabled, Zaius’ systems will check to determine whether the user has withdrawn their consent via the mechanism offered by Zaius (or via one created directly by our clients). For users that have not withdrawn their consent, Zaius will continue to process data on that user.

Zaius Network data storage

Based on the nature, scope, context and purposes of Zaius’ processing activities as well as the risk and severity for the rights and freedoms of Internet users, the personal data processed on the Zaius platform will always be subject to technical and organizational measures affording a high level of protection to such data.

Data Access and Deletion Rights

When a data subject exercises his right of access and deletion, Zaius will provide a copy of all personal information pertaining to that user on the platform. Our plan is to lay out the exact process for data subject requests on the Zaius website as a link from the Zaius privacy policy. We will require that the data subject be in position to reasonably authenticate themselves and provide assurances that the personal data belongs to them. To the extent that data subject authentication reveals that Zaius has incorrectly inferred data to that User’s profile, Zaius will take reasonable steps to purge that data from that User. Zaius will also undertake necessary steps when informed that the user exercises his right to restrict processing. Depending on the volume of requests from users, we may also build a self-serve portal for users to access and delete and/or amend their own personal information. Zaius will look to obtain permission via contracts with clients to ensure that we have sufficient rights to turn over this data.

Data Retention and other Data Governance Issues

Zaius will store personal information collected via the network for a reasonable period of time given the level of sensitivity of the data collected. While we of course don’t anticipate having a data breach, in the event that there is a security incident, Zaius will provide notice of and fully collaborate in the resolution of the incident as required under GDPR. Zaius will maintain records on personal data processing, including a record of all categories of processing activities carried out on behalf of the client.

Zaius will have the requisite contractual provisions including data transfer addendums with clients and partners which outline responsibilities and technical and operational measures, and apportion liability.

Zaius transfers the personal data we process to the U.S. for processing and will leverage our participation in the Privacy Shield Program. We will also utilize model contractual clauses upon the request of clients.

Zaius, Zaius’ Partners and SubProcessors

Zaius will make a list of its subprocessors available on its website or web interface and will update such list when needed. If the subprocessing activities include transfer of personal information to third countries outside the EU, this document will also contain information on such transfers and the safeguards put in place by Zaius.

Data Protection Officers and Representatives

GDPR requires companies that engage in “regular and systematic monitoring” of data subjects “on a large scale” to appoint a data protection office. Accordingly, Zaius is in process of engaging a Data Protection Officer and Representative to (among other things) help with our privacy impact assessments, monitor our privacy program and act as a point of contact for data subjects and supervisory authorities.

EFFECTIVE DATE: November 20, 2017; Updated: November 20, 2017.

For all questions, please contact compliance@zaius.com.