General Data Protection Regulation
The General Data Protection Regulation is a European Data Privacy law approved by the European Union. The GDPR is fundamentally about protecting Personally Identifiable Information (PII). PII, per the GDPR, is defined broadly as any information that can be used on its own, or in conjunction with other data to identify an individual.
AudiencePoint stance on GDPR
Data privacy and security is the hallmark of AudiencePoint. It is the basis for the trust relationship with our customers. AudiencePoint has adhered to all Privacy Shield Framework, and, prior to that, the Safe Harbor Privacy Principles. Great effort went into our architecture in order to ensure PII data is not stored in the AudiencePoint Global Data Pool. Data storage is a strong cryptographic cypher and pertinent log behavior (event type and event date).
We are a third-party data processor
The GDPR define processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
AudiencePoint is a third-party data processor (DP), and as such there are special provisions placed on third-party DP through the GDPR. The provisions are:
- Contact details for the controller
These details are supplied by AudiencePoint customers.
- Purpose of the data
To identify the optimal send time for each subscriber.
- Retention period
No PII data is stored. Customers past/present can request to have their data destroyed at any point.
- Legal basis
AudiencePoint does not maintain PII Data in its Global Data Pool. However, we do treat our data with great care. Therefore, we adhere to the following aspects of the GDPR for DP.
- Only process personal data on instructions from the controller and inform the controller if we believe said instruction infringes on the GDPR (28.3). We will not opportunistically use or mine personal data that we are entrusted with.
- Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
- Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
- Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
- Notify data controllers without undue delay upon learning of data breaches (33.2)
- Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
Data Controller and AudiencePoint
Our customers are controllers (DC), and have a more stringent expectation placed on them to support the rights of data subjects(DS). These rights are defined in chapter 3:
- Right of access – Features exist that allow the DS to query the AudiencePoint global data pool to see his/her data.
- Right of Recertification – There is no data for DS to change as the only values that are stored are a strong cryptographic cypher and log data.
- Right of Erasure – Feature exists which allow DS to have their data erased that was supplied by the DC.
- Right to Restriction of processing – Only DS that is provided to AudiencePoint is processed.
- Notification Obligation – AudiencePoint will notify its customer per article 16, 17(1) and 18.
- Right to data portability – AudiencePoint is built on a RESTful interface. All data is made portable through this feature.
- Right to object – DS who object to processing per Section 2 and Section 3 of Chapter 3, will not be processed when they are not included in the audience file provided to AudiencePoint.
- Automated decision-making – Although there is extensive use of automation, the controller selects the optimal send window and the unengaged time.
- Receive communication regarding data-breach – AudiencePoint communicates data-breaches according to its publicly available policies.
- Time limits – With proper communications, the data controller can ensure that data subjects can exercise their rights with within the legally required time limits.
Cross-border data protection
The GDPR permits personal data transfers to a third country or international organization subject to compliance with set conditions, including conditions for onward transfer. AudiencePoint hosts all data in a Tier IV data center. For more information on hosting, please request the AudiencePoint Security document.
Why is compliance important?
Compliance is important because of the social contract between the DS, the DC and DP. Compliance to the GDPR articulates that relationship in clear, reliable terms.
If you have questions or would like more details, please feel free to reach out to us directly at firstname.lastname@example.org