Fiksu DSP & GDPR
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) becomes officially operative. Being a world-renowned advertising platform, Fiksu DSP maintains its commitment to protect the privacy of its users and abide by the legislation of all regions we operate.
We strive to deliver our advertising end-users (data subjects) the best experience. Thus, their personal data is processed under the “purposes of legitimate interests” as outlined in GDPR Article 6(1)(f). Additionally, such an approach helps us optimize investment for our advertising partners, fight against fraud, and reimburse our contractors and agents.
In order to give our partners the accurate understanding of this transition’s transparency, we have compiled this brief guide explaining how Fiksu DSP will fulfill its obligations under GDPR.
What is GDPR?
GDPR stands for the General Data Protection Regulation (EU) 2016/679, which is a European Union law governing privacy and data protection for all residents of the EU. The provisions of GDPR can be also applied to how data is processed and verified (more on that later) outside the European Union.
Generally speaking, the GDPR represents a new set of rules intended to empower the citizens of the European Union to control their personal information. In accordance with the applicable laws, users are authorized to access and modify their own data held by the companies, which includes data collection, ad tracking, surveys, cookies, location data, and every other bit of a user’s “digital footprint”. Users are also entitled to transmit their personal details to other organizations. The GDPR also enforces companies to determine their in-house data security policies.
Will Fiksu DSP operate in accordance to the GDPR?
Yes. Fiksu DSP will comply with all the GDPR requirements worldwide for all our users by the 25th of May, 2018. We are undertaking the steps necessary to prove that Fiksu DSP, as well as all our clients, advertising partners, agents and contractors, abide by the provisions of GDPR. As a member of the Privacy Shield framework, Fiksu DSP ensures the ultimate level of protection for data transmitted to and from the European Union.
User privacy has been always our topmost priority. GDPR enables us to formalize our devotion to privacy within a solid legal background.
What is the impact of GDPR on Fiksu DSP?
Similarly to the majority of advertising platforms, Fiksu DSP gathers user data in order to deliver relevant and targeted ads to mobile users. Moreover, our platform receives the data transferred to us through SDKs, RTB exchanges, tracking and attribution partners, and 3rd party data partners. Our attempts to comply with the provisions of GDPR have made it possible for us to streamline the data handling controls, clarify our relationships with data partners, and take the data subjects through an understanding and direct management of the way their personal information is used.
What measures does Fiksu DSP implement to comply with GDPR?
- Controller Classification: Recognized as both a Controller and a Processor (where applicable) by the classifications of GDPR, Fiksu DSP cooperates with its respective partners in order to determine the way data is handled under the agreed terms.
- Data Security: We have assigned Anton Slobodskyi as our Data Protection Officer (DPO). You may reach him via email@example.com. Our DPO is tasked with ensuring that Fiksu DSP acknowledges and abides its data protection responsibilities.
- Global Implementation: Whereas GDPR regulations are merely applied to data gathered from European Union residents, we have taken a decision to meet the GDPR requirements globally for every user in every country.
- Personal Information: Fiksu DSP will gather and manipulate only non-sensitive data signals. Personal information will be pseudonymized and encrypted to ensure the user privacy. The collected information will be handled for standard cases of mobile advertising use: brand targeting; campaign operations; brand measurement; performance attribution and optimization on the Demand Side Platform and Data Management Platform.
- Programmatic Signals: Our platform will honor the IAB’s GDPR Recommendations with regard to supporting GDPR-relevant RTB signals. Programmatic Signals will also include pre-download events like ad impressions and clicks, as well as post-click events like app launches, purchases, and registrations.
- Sub-Processors: Fiksu DSP will manage a list of all sub-processors on a dedicated website page, available to those who has the password.
- Data Mapping: Our Application Marketing Service compels any calls of Mobile ID and other user data to be stripped of personally identifiable information before mapping to all other non-sensitive marketing data.
- Data Subject Rights: On the fiksu.com website, we will provide instructions for the users to access their personal information collected by Fiksu DSP; discontinue the future data gathering by Fiksu DSP; delete personal information collected by Fiksu DSP; opt for not storing that personal information by Fiksu DSP; opt for not processing that personal data by Fiksu DSP.
- Data Retention: We will retain the gathered data for no longer than 24 months.
Is a new Fiksu DSP SDK update required for GDPR?
Since GDPR is supported by Fiksu DSP SDK, there is no need for SDK update; at the same time, in case a Client is carrying the consent, they will be required to make an update in their integration in order to complete data subject queries for information or queries to withdraw the consent that has been claimed by us on the basis of legitimate interest (i.e. disregard, do not process or store).
What should I expect from GDPR when working with Fiksu DSP?
- It’s necessary to sign up the latest buy-side Data Processing Agreements (DPA) with RTB Exchanges.
- Media Partners will need to sign the buy-side DPA of Fiksu DSP since there will be appropriate marketing campaigns managed by us for the Clients.
- In order to adjust the buy-side DPA of Fiksu DSP, the Mobile application provider clients (“Clients”) will be required to upgrade their IO language, which also includes the GDPR-compliant of 3rd-party partners to whom Fiksu DSP is entitled to send personal information.
- The Fiksu DSP DPA must be signed by Tracking and attribution partners.
- The Fiksu DSP DPA must be also signed by 3rd Party Data Providers and Audience Onboarding Partners.
What does the retention policy of Fiksu DSP data mean?
Fiksu DSP processes and for about 24 months stores the pseudonymized data, let alone special requirement provided by GDPR (fraud, legal claim, etc.). Other than that, all personal data is deleted once the 24-month period is over.
Personas and Lookalike Audiences
Regarding the Personas and Lookalike Audiences, both the Clients and Fiksu DSP are considered to be data controllers. Currently, we review the disclosures to ascertain if any editions are needed concerning the consent of a user.
In what way the EU data subjects will know if Fiksu DSP stores any information about them?
Clear guidelines will be provided on the fiksu.com website by May 25, 2018. Data subjects will send official requests to Fiksu DSP via email at the following address: firstname.lastname@example.org.
In what way data subjects in the EU can request Fiksu DSP to delete their data?
The same way as with requests for data information, data subjects will be provided with instructions posted on the fiksu.com website as to the rights and the ways of exercising these rights. The rights imply that they can make the below queries, which will be observed within a 30-day period from the initial request:
- Forget: The possibility to remove personal information of such user from the storage of Fiksu DSP in order to maintain his/her privacy rights.
- Don’t Store: A way to specify that personal information of such user will not be kept in the Fiksu DSP storage in order to maintain his/her privacy rights.
- Don’t Process: A way to specify that personal information of such user will not be processed by Fiksu DSP (however this does not mean it won’t be stored) in order to maintain his/her privacy rights.