GDPR stands for General Data Protection Regulation, it was passed by the European Parliament in 2016, and its enforcement date is May 25th 2018. The regulation not only introduces a series of important changes in the digital world, but also levels the field across Europe, in an important step to harmonize and create a single European digital market.
At Tapfiliate, we always put the customer at the heart of what we do, and complying with the new General Data Protection Regulation was for us just another way of embracing our mission of creating a better internet experience.
Besides simple compliance, we also want to offer you a way to understand what the GDPR is about. Below you’ll find out how the actors on the new data landscape are defined, the summary of your rights as an European data subject, plus the steps that we took to protect your data.
The GDPR defines a series of actors that play the most important roles in the data life-cycle:
- Data subject: All of us are data subjects, as long as we provide data to any other entity that collects, stores or uses it in any way. Any user of an online service is a data subject.
- Data controller: Any public or private entity requesting, collecting and/or using data for any purpose. Online shops or social platforms are data controllers.
- Data processor: Those not directly requesting the data from the subjects, but associated to those who do it, and therefore co-responsible for its security. Third-party services like server storage, customer care centers, providers of B2B services, etc. are data processors.
- Data Protection Officer: Required in larger companies or institutions as an internal point of contact, responsible for the implementation of policies and security of personal data within that institution.
- Supervisory Authority: Is the local authority in charge of controlling and applying the GDPR in every EU State Member.
In the case of Tapfiliate we are the data processor for the data coming from our direct clients. Our direct clients, those setting up an affiliate program using our service, are the data controller.
Your Data, Your Rights
Under the new regulation, subjects have a number of important rights:
- Information: Companies and other institutions dealing with data must provide Terms & Conditions of their services in a clear and understandable way, informing users who they are, of the purpose of the collection of the data, the duration it will be stored, and any possible third parties that might receive that data.
- Consent: Companies must require a clear consent from you, as well as taking extra steps to ensure that children get parental consent to provide data.
- Access: Under request, data controllers have to provide you with confirmation as to whether they have any data from you or not.
- Portability: You have the right to request a copy of your data in a commonly used way, machine-readable format, and free of charge, allowing you to take the data with you to a different provider at any time.
- Breach Notification: Companies handling your data must notify you about any breaches that may result in a risk for you within 72 hours of first having become aware of the breach.
- Right to be Forgotten: You are entitled to require any data about you to be deleted. This can only be denied if the data controller understands that erasure would undermine the public interest.
- Profiling: Companies commonly use complex algorithms that analyze large aggregated data on things like the search terms in your search engine, your shopping patterns, your favorite films, your downloaded apps, etc. They do this in order to adjust their services to your previous history, as well as creating profiles of people that infer behavior form the common traces: Same as a marketing app that assumes that you might like product C because you previously bought product B, but sometimes this can get less innocent, like assuming you might not be eligible for a life insurance because you search a lot of recipes full of fat. This is of course an exaggeration, but the GDPR establishes that if a company is using profiling to process applications for legally-binding agreements – like a Loan or an insurance – they must inform you, and also make sure a person, not a machine, is checking the process if the application ends in a refusal. You also have the right to contest the decision.
- Opting out: You have the right to opt out from marketing services that might use your data.
- Extra sensitive data: The GDPR requires that any data regarding your health, race, sexual orientation, religion and political beliefs must include extra steps to be safeguarded.
- Global reach: The GDPR requires that every company around the world processing data of individuals residing in the EU must comply with the new regulation. This means that a company using third-party providers outside of the EU must also make sure those services are in line with the GDPR.
To make sure this all happens, fines are set for companies that do not comply, amountingto 4% of the annual global turnover or €20 million (whichever is greater).
After reviewing Recital 26 of the (full GDPR text), sampling our click data and having conferred with the Dutch Data Protection Authority, we have concluded that it will not be reasonably possible to (re)identify an individual. Hence we believe that this data can be classified as being anonymous and thus the GDPR does not apply to this data.
- Cookies are used by Tapfiliate to attribute conversions to affiliates – by default we do not collect personal data from visitors of your website(s). We will never profile visitors.
- Due to the anonymous nature of the data we collect, we believe our cookies should be qualified as “Analytical cookies”. The current draft of the upcoming E-Privacy directive shows that exemptions to cookie consent requirements should be made for analytical cookies. The E-Privacy directive was supposed to be implemented at the same time as the GDPR. However, the implementation has been delayed. Until the time of implementation, make sure you have the proper legal grounds for using cookies; consent being the most obvious choice.
Using meta data
Using the meta data feature, Tapfiliate clients are able to send additional information alongside conversions. Meta data is highly customizable, and what meta data is sent alongside conversions will vary depending on the client use case. The data controller will need to ensure to have a legal grounds for processing this this meta data.
When exposing meta data to affiliates; if the exposed meta data is personal data, this data will have to be shared to us in a GDPR compliant manner. Be aware that as a data controller when exposing meta data to affiliates that may be personal data, the affiliate (now a third party) is also required to be GDPR compliant.
How to ensure you are collecting meta data in a GDPR compliant manner:
- Ensure you have a legal grounds for processing, e.g. consent
- Know what steps to take if a data subject exercises their right to be forgotten
- Be aware of third parties you share meta data with, ensure that they too are GDPR compliant
What you can do to ensure your company is GDPR compliant
- Make sure you are using the most recent version of the Tapfiliate script. You are using the most recent version of the Tapfiliate script. You are using the latest version if the first line of your Tapfiliate script looks as follows:
- Learn what the GDPR is as a team. Bring everyone on your team up to speed on what the GDPR is, and how it impacts your organization.
- Be aware of data you process and store. What data are you actually processing? What are you processing this data for? Why are you processing this information? How and why did you collect this information? Is this data safe, and how are you keeping it safe? Who is this data being shared with? Who are the third parties this data is shared with? How long are you keeping data you process?
- Know which legal grounds you have for the data you are processing.
- Understand the rights of the data subject, and how you will comply with a data subject exercising their rights.
For more detailed information on any of these topics, have a look here: http://ec.europa.eu/justice/smedataprotect/index_en.htm
Location of your data
The Tapfiliate platform, APIs, databases, and other services are all hosted in AWS’s data center in Ireland.
The way forward
Together with our counsel, and through conference with the Dutch Data Protection Authority, we have determined which steps we needed to take to become GDPR compliant. As the GDPR text leaves room for interpretation in places, we will be keeping a very close eye on the developments. We are hereby committing ourselves to always react to new insights and update our products and policies accordingly.