General Data Protection Policy
Last Updated: October 04, 2019
The General Data Protection Regulation (“GDPR“) is a European Union regulation which protects the rights of data subjects in the European Economic Area (“EEA”), with respect to their “personal data,” as such term is defined in the GDPR. The GDPR provides the following rights to data subjects located in the EEA:
- the right to be told how we use your personal data and obtain access to your personal data;
- the right to have your personal data rectified or erased or place restrictions on processing your personal data;
- the right to object to the processing of your personal data, e.g., for direct marketing or ad targeting purposes;
- the right to have any personal data you provided to us on an automated basis returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”);
- where the processing of your personal data is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions;
- the right to object to any decisions based on the automated processing of your personal data, including profiling; and
- the right to lodge a complaint with the supervisory authority responsible for data protection matters (e.g. in the UK, the Information Commissioner’s Office, or “ICO“).
This policy applies to Amobee, Inc. and Amobee EMEA Limited (referred to by the first-person plural in this policy). The term “Business Partner” has the meaning set out in our Privacy Guidelines.
Below are some of the many actions we have taken to be compliant with GDPR.
- We have conducted a data privacy impact assessment to document our data flows and evaluate our technology and practices.
- We have established our lawful basis for processing data.
- We have appointed a data privacy officer.
- We have made changes to bring our technology and practices into compliance, including offering self-service portals for EEA data subjects to make erasure and access requests and revising our data retention policies.
- We have made changes to our contracts and entered into data processing agreements or other agreements where appropriate with our clients and vendors.
- We have trained our personnel on new requirements.
- We have updated our disclosures and data security policies.
C. What Personal Data is Collected and How It is Collected
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, our technology collects data about the websites and apps that you interact with and the advertisements that we show you. This data may include information about the device and its IP address; the browser or application used; which and how many, business partner web pages have been viewed by a browser or application; search terms entered on business partner websites; referring and exit pages; the date and time an advertisement was viewed; imprecise geolocation data; browser or device-specific identifiers (such as mobile device advertising identifiers or your browser’s user agent string); and other similar information. Amobee does not “actively scan device characteristics” as defined in the IAB Trust and Consent Framework 2.0. The data may be collected when: we or a Business Partner purchases online advertisements on a website that you visit or an app that you use; a Business Partner places one of our web pixels on a website that you visit; or you interact with an app from which we collect data. We also license data from third-party vendors and those vendors represent that the data transfer to us is compliant with GDPR. Our advertising technology also allows Business Partners to target users by submitting lists of pseudonymized data to us
Our advertising technology also offers data management services to business partners via our data management platform (“DMP”). Our DMP enables our Business Partners to collect, store and analyze data about their audiences. The data in the DMP is the foregoing data, as well as any data uploaded by the Business Partners for their own use. We associate end user data with pseudonymous identifiers known as an Amobee ID. We use ID syncing to associate Amobee IDs with identifiers and data from Business Partners and other industry participants in an effort to display relevant advertisements on a wider range of websites, apps and content. We may also collect market research survey responses in some cases.
If you are a visitor to our own website, our technology collects your IP address, the pages on our website that you view, your web browser, location data, mobile device-specific identifiers, your internet service provider, the time/date of the visit and your device operating system. If you choose to directly contact us or fill out a contact form for the purpose of receiving more information about our products and services, we will collect the information you provide, such as your first and last name, physical address, telephone number or e-mail address.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, we collect personal data you provide, such as your e-mail addresses, telephone number and billing details.
D. How Personal Data is Used
If you are an end user located in the EEA who receives online advertising from one or more of our clients via our ad platform, we use your personal data to identify the audience most likely to respond to a particular ad, to serve those ads and to analyze trends. We may also share this information with our affiliates and Business Partners in accordance with our Privacy Guidelines. We do not use “special categories” of your data for these purposes, as that term is defined by the GDPR.
If you are a visitor to our own website, we use your personal data to administer, improve and customize our website, to help us understand and analyze how the website is being used and to evaluate aggregate website usage. We use your contact information (if provided) to provide you with information about our products and services.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, we use your personal data for ordinary business purposes, such as to maintain customer and supplier accounts, billing, password management and to service other customer needs.
E. Who the Personal Data is Shared With
We may share personal data with Google Cloud and Amazon Web Services who provide cloud computing services for us. We use Hubspot and Google Analytics to collect information about visitors to our corporate website. These third parties are prohibited from using the information we provide for purposes other than performing services for us or as contractually agreed.
We may also share personal data with our Amobee-branded affiliates and Business Partners (including third-party DSPs and DMPs used by our Business Partners) to carry out advertising campaigns and analysis. Similarly, we may enhance the personal data collected via our advertising technology with personal data collected from Business Partners.
We remain responsible under the Privacy Shield Principles if third-party agents that we engage to process personal data on our behalf do so in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.
We may be required to disclose personal data to third parties when we reasonably believe we are obligated to do so by law (including to meet national security or law enforcement requirements) and to investigate, prevent, or take action regarding suspected or actual prohibited activities, including but not limited to, fraud and situations involving potential threats to the physical safety of any person.
Finally, we may transfer personal data to a successor entity in connection with a corporate merger, consolidation, sale of assets, bankruptcy, or other corporate change.
F. Privacy Shield
We comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from European Union member countries, the United Kingdom and Switzerland. We have certified that we adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability. We are subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to our adherence to Privacy Shield. If there is any conflict between this general data protection regulation policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view our certification page, please visit https://www.privacyshield.gov.
G. How Long Personal Data is Retained
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, then we will retain personal data associated with your Amobee ID for up to 13 months. Amobee retains certain other data related to web traffic and Twitter tweets, where the data is not associated with any user (i.e., it is not personal data), for up to 18 months.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, then we will retain your personal data for the duration of our business relationship and afterwards for as long as is necessary and relevant for our legitimate business purposes, in accordance with our data retention policy or as otherwise permitted under applicable laws and regulation.
Where we no longer need your personal data, we will dispose of it in a secure manner (without further notice to you).
H. Basis for Processing
We have implemented the IAB Europe Transparency and Consent Framework (the “TCF”) in our ad platform. If you are an end user located in the EEA who receives online advertising from one or more of our clients via our ad platform, we will honor consent signals in the bid request for each ad impression. This means we will rely on consent for the basis for processing (if consent is granted) or we will not process your personal data (if consent is denied or if the consent signal is malformed or missing) in connection with that ad impression. If the ICO later determines that TCF is insufficient to represent consent under GDPR, Amobee may rely on legitimate interest as the basis for processing. The legitimate interest is direct marketing in order to deliver more relevant advertising while supporting the production of ad-supported content on the Internet, as provided under Recital 47 following the guidance of the Article 29 Working Party stated in “Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679.” Due to technical limitations in the consent mechanism, the consent mechanism may not provide a complete description of our legal basis for processing. Therefore, this policy controls in the event of conflict between this and any description in the consent mechanism.
If you are a visitor to our own website, we may rely on legitimate interest as the basis for processing under GDPR. The legitimate interest to administer, improve and customize our website, to help us understand and analyze how the website is being used and to evaluate aggregate website usage, under the same legal authorities and guidance as stated above. If you fill out a contact form, we rely on consent as the basis for processing.
If you have a contract with us or we are taking steps at your request to enter into a contract with us, then we will rely on the performance of a contract as the basis for processing your personal data under GDPR.
We are subject to the Privacy and Electronic Communications Regulations (“PECR”) in addition to GDPR. PECR requires consent before setting or reading cookies in the user’s browser. Therefore, if you are located in the EEA, we will only set or read cookies in your browser when we reasonably believe we have consent to do so.
The automated ad-decisioning performed by us and other companies may be regarded as a type of profiling. The profiling is based on websites previously visited by you, previous ads served to you and any clicks or actions you made on those ads, demographic and other information about you, location information and contextual information (e.g., which website the ad is to be served on). Our evaluations of these profiles concluded that none of them are considered “high risk” to the fundamental human rights of EEA data subjects.
J. Security and Integrity
We have implemented reasonable security measures to protect the information in our care, both during transmission and once we receive it. This includes, but is not limited to, physical security and the use of encryption. No method of transmission over the Internet, or method of electronic storage, is entirely secure, however. Therefore, while we strive to use commercially reasonable means to protect information, we cannot guarantee its absolute security.
We process information in a way that is compatible with and relevant to, the purpose for which it was collected. To the extent necessary for those purposes, we take reasonable steps to ensure that any information in our care is accurate, complete, current and reliable for its intended use.
K. Transfers outside the EEA
Amobee, Inc. is Privacy Shield certified. Therefore, transfers from the EU or Switzerland to the US operations of Amobee, Inc. are protected by Privacy Shield. Amobee, Inc. has entered into Model Contract Clauses for any further transfers.
L. Data Subject Request
If you simply wish to stop receiving tailored advertisements on your browser or mobile device, the easiest option is to use the our Consumer Opt Out. This is available to everyone.
Alternatively, if you are an EEA data subject who receives online advertising from one or more of our clients via our ad platform, you can do the following.
- If you wish to exercise your rights to erasure, to restrict processing, to object or to not be subject to automated decision-making including profiling, please click here and we will delete all personal data we have about you. If you believe we hold incorrect data about you, please exercise the same right to have our data about you deleted and we will delete that incorrect data.
- If you wish to exercise your rights to access your personal data or to data portability, please click here and we will send you a copy of the personal data we have about you.
If you have a contract with us and wish to do any of the foregoing, please send your request to your Amobee representative.
M. Data Protection Officer and Representative
Our data protection officer is ePrivacy GmbH, Große Bleichen 21, 20354 Hamburg.
The representative of Amobee, Inc. for purposes of GDPR is Amobee EMEA Limited (CRN 06514746), Noah’s Yard, 10 York Way, London N1 9AA.
The CEO of Amobee, Inc. and Amobee EMEA Limited is Kim Perell, 10201 Wateridge Circle Suite 400 San Diego, CA 92121.
Amobee has further committed to refer unresolved privacy complaints under the EU-U.S. and the Swiss-U.S. Privacy Shield Principles to the BBB EU Privacy Shield, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield panel.
You may also file a complaint with the ICO, the supervisory authority for Amobee.
O. Data Processing Agreement
An example of the data processing agreement between our clients and us is here.
P. Changes to this GDPR Overview
Visit this page periodically to stay aware of any changes to this policy, which we may update from time to time. If we modify this policy, we will make the revised policy available at the URL of this page and indicate the date of the latest revision.