GENERAL Data protection regulation (gDPR) Q&A
Knorex embraces GDPR
At Knorex, we are committed to yours and your customers’ data privacy and data protection. Knorex has put in place processes and procedures to comply with the GDPR core principles and the various provisions including data protection, pseudonymization, data deletion, data transfer and retention.
When it comes to complying with the European Union (EU) regulation on data protection called the General Data Protection Regulation (GDPR), we have compiled a list of questions and answers to help you understand about the measures that we have taken since its commencement to govern the privacy and data protection of EU consumers/residents.
On May 25, 2018, the EU began to enforce the GDPR across all European member states. Any organization, regardless of its location inside or outside of EU, that wishes to reach EU users and to collect personal data from EU residents must comply with GDPR.
What is personal data?
Under GDPR, personal data (GDPR Article 4(1)) can be broadly defined into two forms:
- Personally Identifiable Information (PII). PII is specific information that can be used to identify, locate or contact you. Such PII may include, but not limited to your name, company name, address, email address, phone, and other contact information. The amount and type of information that we gather may vary depending on the nature of your interaction with the Websites.
- Non-Personally Identifiable Information (NPII) or pseudonymous information. NPII is information other than PII, including aggregate information derived from PII, that may allow for singling out individual behaviours without directly identifying the individual e.g. device ID, online identifiers (e.g. cookie ID, mobile advertising ID, IP address) or any other technical identifiers. Such information also include what we record in our server logs typically made available by your web browser when you use or access the websites, for instance, browser type, date/time of visit, IP address, computer information, operating system, referrer addresses, and other generally-accepted log information.
Does Knorex collect and process personal data?
We collect and process pseudonymous personal data to enable us or our partners and customers to render our advertising services without directly identifying consumers.
We use web cookies and device IDs to collect intent data and browsing history. We also use non-cookie-based method based on our proprietary contextual engine to collect the interests and browsing behavior of user segments of interest. These data are collected from users in non-identifying and pseudonimized way.
As defined by GDPR, we do not collect sensitive data which is information that reveals the race or ethnic, religion or philosophical beliefs, sexual orientation, political affiliation, trade union membership, health/medical status or information, genetic/biometric data of the consumer/user.
What has Knorex done to comply with the GDPR?
Within Knorex, we have reviewed our business processes, IT systems and information security policy and have made the appropriate changes to our products and business processes. Externally, we work closely with our partners and customers to ensure that fulfil our GDPR compliance obligations. These are some of the key initiatives that we have carried out:
- We have registered as an approved vendor that is part of the Global Vendor List (GVL) under the iAB Europe Transparency & Consent Framework (TCF) where we are required to adhere to the TCF Policy and Terms & Condition to provide transparency on how we comply with GDPR requirements and enable us to work closely with publishers under GDPR rules.
- We have been part of the AdChoices program for a while, providing consumers with the option to opt-out easily from ad tracking and targeting. Whenever an ad using Knorex platform is shown to a consumer, the consumer can easily discover that Knorex is responsible for displaying that ad and begin to discover how we are using the data and protecting their privacy. The consumer is provided with the option to opt-out from further targeting or tracking via the linked webpage from the ad.
- We have established our Privacy & Data Protection team and appointed our Data Protection Officer to educate, inform, advise on our organization, products and services and also to implement technical and organisational measures to protect personal data against unlawful processing, unauthorised access or accidental loss/destruction.
- We have set up a dedicated user support team to address any queries and requests relating to personal data and privacy protection.
- We have made technical changes to our platform, products and related services and infrastructure to ensure compliance and more importantly, to give our customers and users more control over their data.
- We have prepared the documents and information to supply to our vendors and customers for their compliance and review.
- We have applied data hashing techniques to pseudonymize the data to meet data protection obligation as GDPR encourages such process to “reduce the risk to the data subjects” (See GDPR Recital (28)). Additionally, we also use our in-house contextual targeting product that do not rely on sensitive personal data to advertise to segments of audience.
- We have reviewed our data collection and processing processes and procedures and did a clean up. Additionally, we ensure that we collect and process pseudonymous data with just enough details to help our customers target the intended audience. Our technology is based on making relevant, personalized product recommendations and promoting those items most likely to interest and engage a consumer.
- We have provided the facility for individuals to easily opt-out and enforce their rights to have their data erased and not to be tracked.
What role does Knorex play?
Under the GDPR, a Data Controller is defined as a person or legal entity that determines the purpose and way in which personal data is being processed. Separately, Data Processor processes personal data based on the instructions given by the Data Controller.
Knorex considers its advertising customers and partners as Data Controllers with respect to the data collected from their respective websites and mobile apps and Knorex acts as a Data Processor when providing advertising services to them in accordance to their instructions given to us.
How can an EU individual request "to be forgotten" or for their "right of access" or "to be erased"?
We have worked with numerous independent third parties and also internally, we have provided various tools and methods (http://knorex.com/privacy) for individual to carry out the opt-out easily.
As required by applicable law, including the U.S.-E.U. Privacy Shield Framework, upon request, we will provide you with information about whether we hold any of your personal information. You may request to access, update or delete any of your data by using the opt-out tools that we have provided or by emailing us at firstname.lastname@example.org. We will respond to these requests within a reasonable timeframe.