GDPR

GDPR compliance

1. Who is your Data Protection Officer?

According to the GDPR, it is not obligatory to have a DPO at our company, however, all questions and issues regarding privacy must be addressed to Eskimi advisers “Ivanauskas & partners” and specifically our counsel Tomas Ivanauskas.

2. What personal data are you processing?

Eskimi processes and uses for the provisioning of DSP services so-called indirect data, such as location, device specifications, browsing history, etc. No data allows Eskimi identify the specific person and to know their name, phone number, or any other directly linkable personal data.

3. How do you gather consent (Clear affirmative act, GDPR preamble p.32) of people you process their personal data?

Eskimi processes data that was gathered by our partners by either obtaining the consent from the data subjects or on other legal grounds for data control (such as legitimate interest, service provisioning, data security, etc.). The data has been transferred to Eskimi on a legitimate contractual basis having permission from the data subject. Eskimi requires that partners would ensure that the data initially has been collected on a legitimate basis. 

4. How do you ensure it is transparent to natural persons that personal data concerning them are collected, used, consulted, or otherwise processed? (GDPR preamble p. 39).

Eskimi is a vendor in the IAB Transparency and Control Framework. Framework dictates how collection, use and processing should be described. Eskimi adheres to these standards. In addition, data processing activities are clearly and transparently described in Eskimi Privacy Policy.

5. Data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing (GDPR preamble 63). How these rights can be exercised?

Eskimi has a special procedure and a form for data subjects to request information about the scope of a person's data processing including the possibility to require that the processing would be stopped and/or the data would be deleted. We follow all the provisions of GDPR ensuring that the data subject would have full access to information about his/her data processing. Normally we would provide all the information requested under the Data Subject Access Request Form within 30 calendar days.

6. For how long you keep data in your databases?

Data is only kept for a limited period of time that is strictly required to perform the obligations towards the clients under the contracts or observing other legal requirements. The data is periodically reviewed and deleted if it is not required for the purposes of business, according to Data Retention and Erasure Policy.

7. Do you have a data breach policy?

Eskimi has a procedure according to which the data breach incidents are detected, reported, and addressed. Eskimi complies with the GDPR provisions for reporting data breach incidents to relevant data authorities as well as data controllers. 

Key statements:
- Eskimi is fully GDPR compliant.
- Eskimi is data processors for the provision of B2B services.
- Eskimi does not process any direct personal data.
- Eskimi obtains data from data controllers and check with them for the legal basis of data use.
- Eskimi ensures that the user access we provide to our clients is based on either consent of the user or has another legal basis for processing.

Eskimi and GDPR

 

GPDR requires companies to have applicable legal basis for:
1. Any kind of user data used
2. All ways of how is that data used

In online advertising, companies normally use non-personally identifiable data (such as cookies, device IDs) to target users and measure ad performance.
In order to perform these activities, an applicable legal basis is needed. It is Eskimi, as well as most of the market, understanding that 2 legal basis are appropriate here: consent and legitimate interest.

Consent
Consent is when user says 'yes' to the kinds of data and to the ways of data. User can agree or deny to companies processing user data.

Legitimate interest

Legitimate interest is when a company must use user data to survive and it can not hurt the user in any way. User can object to legitimate interest claims.

How to achieve all this for companies?

There can be multiple ways of asking users for consent and/or showing legitimate interest declarations.  The most used one, and the one we use in Eskimi, is by using Transparency and Consent Framework (TCF).

What is TCF?
TCF is framework to pass if user consented and/or objected to legitimate interest to online advertising companies. It is not the law - it's how companies like Eskimi understand the law.

TCF consists of:
* CMP (consent management platform): actual popup where user sees and selects: data usage purposes, companies
* Preferences string: 
* Vendors: companies using user data

Eskimi DSP (vendor name - Eskimi, vendor ID - 814) is part of the IAB approved TCF vendors. 

Global TCF vendor list: https://iabeurope.eu/vendor-list/

To sum up, TCF allows:
* Showing purposes - how will companies use data

* Showing types  - what data will those companies use

* Allowing user accept/reject usage of this data

* Passing user preferences to the companies

What do clients have to do? 

Client page should have a CMP (Consent Manager Platform) integrated on the website and make sure that "Eskimi" is on the vendor list. CMP usually handles a lot of integration automatically and provides customisability in order to correctly generate the consent string.
Then, if user agrees with Eskimi data purposes and what data will be used.

How to check if Eskimi is under the CMP vendor list?

Visit the page you want to check. You should be greeted with a notice. Such as the below one. Click on manage settings

image-1616673632057.png

After clicking manage settings you will be greeted content and legitimate interest that were introduced before. 

Untitled design-5.png

Search for partner list

Untitled design-6.png

When the partner list will be visible search for Eskimi. Both legitimate interest and consent should be enabled for Eskimi so we would get user consent. If the content isn't enabled for Eskimi by the user the consent won't be received. 

n5Zuntitled-design-7.png

What if I don't use a TCF-based CMP?

If you don't use a TCF-based CMP, you have 2 choices:
* Integrate one. More information on manual integration without CMP can be found here: https://iabeurope.eu/tcf-for-publishers/ 
* Discuss with your legal if any other solution is applicable to you (some other consent management way). if yes, please reach out to us.

What are the GDPR countries? Where does this apply? 
GDPR applies to these countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom. 

Practical Cases

Eskimi Data Segments

Before heading to practical cases it is important to share where user's content is used and the absence of it may influence calculation of these audiences. 

Practical Cases

In this paragraph we will share practical cases how user's consent may influence audience collection and how these issues can be resolved at some extent. 

Before heading to the core of the issue it is necessary to understand that user's personal information isn't used when generating the report. However, it is used when audience is collected such as campaign audience.

Campaign Audience Collection

Adops are running programmatic advertising for an FMCG brand in Hungary. After few days they noticed that on the report campaign generated 7 921 clicks, while in the campaign audience section unique click audience seeks only 681. This case indicates few core issues: 

  1. Publisher haven't included us as a vendor: Some of the publishers add all the TCF vendors into their CMP. However, there will definitely be publishers that will closely monitor every vendor and only add part of them and Eskimi may not be one of them. Even though Eskimi is advertising on thousands on publishers through the campaign traffic is received from core publishers. So it is possible to check if we are added under their CMP. It can be done by clicking "Vendors" when the cookie notice pops up. If after some digging adops realise that under the top publishers we are not added as a vendor, adops should contact the publishers directly and ask them to add us as a vendor. image-1613978562762.JPG
  2. User haven't given us the consent: Let's consider that all the top publishers actually added us as a vendor. However, click audience still is much smaller than what adops see on the report. Then the primary reason why the audience isn't accumulating is that users didn't give us the consent. Unfortunately, these cases cannot be influences as we fully comply with the laws of GDPR and user data cannot be collected without their permission. 
Remarketing Audience Collection 

Adops are running programmatic advertising for a retail brand in Germany. The client wanted to collect remarketing audience from their website so they have implemented Eskimi's tracking pixel. After few days of advertising adops noticed that campaign already generated 10 132 clicks, while the remarketing audience pool seeks 0. This case as well can have clear reasons why the audience isn't accumulating:

  1.  Client hasn't included us a vendor: Naturally, if a client just started working with Eskimi they may not be aware of the fact that they should add us under their vendor list in their CMP. To overcome this issue a clear and consistent communication should be done between different parties. Firstly, Eskimi's Business Managers should check with the client has a CMP. If so BM's should clearly communicate that UAB Aktyvus Sektorius should be added as a vendor under their CMP, if this won't be done the remarketing audience won't be collected. Secondly, when adops sends the client the tracking pixel for implementation it is necessary for double-check if the client has CMP and can add us as a vendor. 
  2. User haven't given us the consent: Let's consider that client added us as a vendor. However, remarketing audience still is much smaller than what adops see on the report. Then the primary reason why the audience isn't accumulating is that users didn't give us the consent. Unfortunately, these cases cannot be influences as we fully comply with the laws of GDPR and user data cannot be collected without their permission. 

There might be more similar cases like these, but the reasons may be rather the same. Therefore, further analysis should be done.

Things to consider

All of these things may seem rather complicated. However, this is where the digital landscape is heading. To not get lost and overcomplicated things there are few things to consider.

  1. GDPR is only applicable to EU countries. So if the impression audience isn't accumulating for a programmatic campaign in Africa, then the reason will be different. 
  2. Investigate. It is crucial to first check top publishers' vendor lists before heading to escalations. 
  3. Communication. Be open with the client and clearly communicate the requirements for advertising in EU. Everybody is responsible. 
  4. Documentation. Use this documentation as the basis of your knowledge. 
  5. Share feedback. If something isn't clear and there is a need for more information, contact the management. 
  6. Reasoning. Think logically and search for clear reasons for the issue. 

    image-1631711203468.png