General Data Protection Regulation Policy
Last Updated: November 12, 2018
The General Data Protection Regulation (GDPR) is a European Union regulation which protects the rights of data subjects in the European Economic Area (EEA), with respect to their “personal data,” as such term is defined in the GDPR. The GDPR provides the following rights to data subjects located in the EEA:
- the right to be told how we use your personal data and obtain access to your personal data;
- the right to have your personal data rectified or erased or place restrictions on processing your personal data;
- the right to object to the processing of your personal data, e.g., for direct marketing or ad targeting purposes;
- the right to have any personal data you provided to us on an automated basis returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”);
- where the processing of your personal data is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions;
- the right to object to any decisions based on the automated processing of your personal data, including profiling; and
- the right to lodge a complaint with the supervisory authority responsible for data protection matters (e.g. in the UK, the Information Commissioner’s Office).
Below are some of the many actions we have taken to be compliant with GDPR.
- We have conducted a data privacy impact assessment to document our data flows and evaluate our technology and practices.
- We have established our lawful basis for processing data.
- We have appointed a data privacy officer.
- We have made changes to bring our technology and practices into compliance, including offering self-service portals for EEA data subjects to make erasure and access requests and revising our data retention policies.
- We have made changes to our contracts and entered into data processing agreements or other agreements where appropriate with our clients and vendors.
- We have trained our personnel on new requirements.
- We have updated our disclosures and data security policies.
C. What Personal Data is Collected and How It is Collected
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, our technology collects data about the websites and apps that you interact with and the advertisements that we show you. This data may include information about the device and its IP address; the browser or application used; which and how many, business partner web pages have been viewed by a browser or application; search terms entered on business partner websites; referring and exit pages; the date and time an advertisement was viewed; precise geolocation data from third parties; location data; browser or device-specific identifiers (such as mobile device advertising identifiers or your browser’s user agent string); and other similar information. The data may be collected when: Amobee or a business partner purchases online advertisements on a website that you visit or an app that you use; an Amobee business partner places one of Amobee’s web pixels on a website that you visit; or you interact with an app from which Amobee collects data. Amobee also licenses data from third-party vendors and those vendors represent that the data transfer to Amobee is compliant with GDPR. Amobee advertising technology also allows business partners to target users by submitting lists of pseudonymized data to Amobee.
Amobee advertising technology also offers data management services to business partners via its data management platform (“DMP”). The Amobee DMP enables its business partners to collect, store and analyze data about their audiences. The data in the DMP is the foregoing data, as well as any data uploaded by the business partner for their own use. Amobee associates its end user data with pseudonymous identifiers known as an Amobee ID. Amobee uses ID syncing to associate Amobee IDs with identifiers and data from business partners and other industry participants in an effort to display relevant advertisements on a wider range of websites, apps and content. Amobee may also collect market research survey responses in some cases.
If you are a visitor to Amobee’s own website, our technology collects your IP address, the pages on our website that you view, your web browser, location data, mobile device-specific identifiers, your internet service provider, the time/date of the visit and your device operating system. If you choose to directly contact Amobee or fill out a contact form for the purpose of receiving more information about Amobee’s products and services, Amobee will collect the information you provide, such as your first and last name, physical address, telephone number or e-mail address.
If you have a contract with Amobee, Amobee collects personal data you provide, such as your e-mail addresses, telephone number and billing details.
D. How Personal Data is Used
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, Amobee uses your personal data to identify the audience most likely to respond to a particular ad, to serve those ads and to analyze trends. Amobee may also share this information with its affiliates and business partners in accordance with our Privacy Guidelines. Amobee does not use “special categories” of your data for these purposes, as that term is defined by the GDPR.
If you are a visitor to Amobee’s own website, Amobee uses your personal data to administer, improve and customize its website, to help Amobee understand and analyze how the website is being used and to evaluate aggregate website usage. Amobee uses your contact information (if provided) to provide you with information about Amobee’s products and services.
If you have a contract with Amobee, Amobee uses your personal data for ordinary business purposes, such as to maintain customer and supplier accounts, billing, password management and to service other customer needs.
E. Who the Personal Data is Shared With
We may share your personal data with our Amobee-branded affiliates, our clients (including third-party DSPs and DMPs used by our clients) and our cloud service providers.
F. How Long Personal Data is Retained
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, then we will retain your personal data for up to 13 months. Amobee retains certain other data related to web traffic and Twitter tweets, where the data is not associated with any user (i.e., it is not personal data), for up to 18 months.
If you have a contract with us, then we will retain your personal data for the duration of our business relationship and afterwards for as long as is necessary and relevant for our legitimate business purposes, in accordance with our data retention policy or as otherwise permitted under applicable laws and regulation.
Where we no longer need your personal personal data, we will dispose of it in a secure manner (without further notice to you).
G. Consent and Legitimate Interest
If you are an end user located in the EEA who receives online advertising from one or more of our clients via the Amobee ad platform, we are working with a handful of other digital advertising companies to implement a mechanism for obtaining consent to the extent required under GDPR. We may test the consent mechanism even when consent isn’t required as a legal basis for our processing. We otherwise rely on legitimate interest (direct marketing purposes) as the basis for processing personal data via our advertising platform.
Due to technical limitations in the consent mechanism, the consent mechanism may not provide a complete description of Amobee’s legal basis for processing. Therefore, this overview controls in the event of conflict between this and any description in the consent mechanism.
If you have a contract with us, then we will rely on the performance of a contract as the basis for processing your personal data.
The automated ad-decisioning performed by Amobee and other companies may be regarded as a type of profiling. The profiling is based on websites previously visited by you, previous ads served to you and any clicks or actions you made on those ads, demographic and other information about you, location information and contextual information (e.g., which website the ad is to be served on). Our evaluations of these profiles conclude that none of them are considered “high risk” to the fundamental human rights of EEA data subjects.
I. Transfers outside the EEA
Amobee, Inc. is Privacy Shield certified. Therefore, transfers from the EU or Switzerland to the US operations of Amobee, Inc. are protected by Privacy Shield. Amobee, Inc. has entered into Model Contract Clauses for any further transfers.
J. Data Subject Request
If you simply wish to stop receiving tailored advertisements on your browser or mobile device, the easiest option is to use the Amobee Opt Out Mechanism. This is available to everyone.
Alternatively, if you are an EEA data subject who receives online advertising from one or more of our clients via the Amobee ad platform, you can do the following.
- If you wish to exercise your rights to erasure, to restrict processing, to object or to not be subject to automated decision-making including profiling, please click here and Amobee will delete all personal data it has about you. If you believe we hold incorrect data about you, please exercise the same right to have our data about you deleted and we will delete that incorrect data.
- If you wish to exercise your rights to access your personal data or to data portability, please click here and we will send you a copy of the personal data we have about you.
If you have a contract with us and wish to do any of the foregoing, please send your request to your Amobee representative.
K. Data Protection Officer
Our data protection officer is ePrivacy GmbH, Große Bleichen 21, 20354 Hamburg.
You may send a complaint to email@example.com or to the UK Information Commissioner’s Office, the supervisory authority for Amobee.
M. Data Processing Agreement
An example of the data processing agreement between Amobee and its clients is here.
N. Changes to this GDPR Overview
Visit this page periodically to stay aware of any changes to this overview, which we may update from time to time. If we modify this overview, Amobee will make the revised overview available at the URL of this page and indicate the date of the latest revision.