Getting ready for the GDPR
Organizations established in the EU and processing personal data of EU-based individuals will, in almost all cases, be required to comply with the General Data Protection Regulation (GDPR) by May 25, 2018. The GDPR updates and harmonizes the framework for processing personal data in the European Union, and brings with it new obligations for organizations and new rights for individuals. Many organizations, large and small, are now preparing for the new regulation.
The team at Target Circle is fully committed to complying with the requirements of the GDPR. Our legal and policy experts have closely analyzed the requirements of the GDPR and continue to monitor new guidance on best practices for implementing the requirements of the GDPR. We have taken these new requirements to heart and made changes to our products, contracts and policies to ensure that we are fully in compliance with the GDPR before May 25, 2018. Target Circle services will comply with the GDPR when it becomes enforceable on May 25, 2018.
Worldwide Product Compliance
Many of our clients operate in multiple jurisdictions around the world. To ensure a consistent user experience, Target Circle has adopted the GDPR requirements to our entire platform and supports it worldwide. We believe that use of uniform rules and program logic will greatly enhance our all clients’ ability to comply with the GDPR’s requirements.
Roles and responsibilities
The GDPR defines different roles that carry different responsibilities with regards to personal data. It is important to understand the roles of Target Circle and its providers, advertiser and publishers:
Article 4 (7) of the GDPR defines the data controller as follows,
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Following that definition we regard every advertiser that uses the Target Circle platform either directly or indirectly through a provider as a controller within the meaning of the GDPR. In the context of the tracking services provided by Target Circle, the purpose and the means of the data processing are determined by the advertiser. Target Circle provides its white-label advertising technology to the advertisers and they determine, in their sole discretion, why (the purpose) and how (the means) to use it.
Article 4 (8) of the GDPR defines the data processor as follows,
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Following that definition we regard Target Circle as a processor within the meaning of the GDPR. As Target Circle offers its advertising technology as a Software-as-a-Service to advertisers, Target Circle only processes personal data on behalf of the advertiser, but never on its own behalf. Target Circle’s technology can be interpreted as a tool and the advertisers decide what for and how to use this tool. + Provider
Publisher as sub-processor + TC as sub-processor
Data Processing Agreements
As required by Article 28 (3) of the GDPR, the data processing between the advertisers as the data controllers and Target Circle as the data processor is governed by the Demand Partner Data Processing Addendum (Controller – Processor) or other similar data processing agreements. Derived from this principle, the data processing between the providers as the data processor and Target Circle as the data sub-processor is governed by the Demand Partner Data Processing Addendum (Processor – Sub-Processor) or other similar data processing agreements. As part of Target Circle’s procurement efforts towards the advertisers, the data processing between Target Circle as the data processor and the suppliers including, but not limited to third party data center operators, affiliates, publishers, ad media, media buyers, ad networks, demand side platforms (DSP), supply side platforms (SSP), outsourced marketing, business, engineering, customer support and traffic providers as the sub-processors is governed by Supply Data Processing Addendum (Processor – Sub-Processor) or other similar data processing agreements.
Our tracking service saves cookies in the browser of users that use websites of our customers and saves an identifier based on other information received from that browser. The cookies and identifiers are solely used to accurately track the success of the advertising campaigns of our customers and to attribute this success to the right publisher. We do not save, process or use personal data when doing so.
However, we offer the possibility to opt-out of our tracking here. Doing so will save an opt-out cookie in your browser that will prevent our tracking service from saving the tracking cookies and identifiers.
Data Protection Officer
Target Circle has designated as Data Protection Officer (DPO), as required by Article 37 of the GDPR:
Full name: Robbert Scholten
Role: Target Circle CTO
Address: Storgata 10, 2000 Lillestrøm, Norway
Target Circle is under the supervision of the Norwegian Data Protection Authority (Datatilsynet) as required by article 51 of the GDPR and in addition to that audited annually by its mandated auditors:
Myrdahl og Sveen