Introduction
TL;DR:
You should update:
- Privacy Policy: mention OneView as Data Processor. If you plan to use Enhanced Conversions, you must also disclose that you send consenting user data (
ad_user_data) to your Media Partners, enabling them to re-identify consenting users for campaign optimization and remarketing purposes (ad_personalization). - Cookie Policy: mention the usage of anonymous first-party cookies for the purposes of analytics (
ad_storage), and advertising (analytics_storage).
What is Personal Data?
| Definition | ||
|---|---|---|
| Personal Data | ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; | Article 4(1) of Regulation (EU) 2016/679 “GDPR” |
| Pseudonymized Data | ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; | Article 4(5) of Regulation (EU) 2016/679 “GDPR” |
| Anonymized Data | […] ‘anonymous information’, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
| Identifiable Person | […] To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. […] | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
Who is involved?
Some more definition that are relevant to the GDPR, by defining| Role | Definition | |
|---|---|---|
| Data Subject (your users, natural persons only) | Defined together with Personal Data (see above) | |
| Data Controller (you, the website owner) | ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; | Article 4(7) of Regulation (EU) 2016/679 “GDPR” |
| Data Recepient (your Media Partners) | ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; | Article 4(9) of Regulation (EU) 2016/679 “GDPR” |
| Data Processor (OneView) | ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; | Article 4(8) of Regulation (EU) 2016/679 “GDPR” |
Pseudonymized Data
OneView uses identifiers hashed with SHA-256 in your Identity Graph. This ensures that data is securely pseudonymized, as it cannot be re-identified without the original data.
If you use Media Partners with Enhanced Conversions, make sure you align your Privacy Policy and gather consent for this purpose. Based on the data they receive from OneView, these Media Partners will be able to re-identify your Data Subjects across .
| Usage | Considered Personal Data? | Source of Law |
|---|---|---|
| Directly used by the Data Controller | Yes | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
| Disclosed to a Recepient | No, unless the Recepient has the means to re-identify the Data Subject | Recital 26 of Regulation (EU) 2016/679 “GDPR”, clarified by Case T-557/20, SRB v EDPS |
Pseudonymized data used by the Data Controller
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of should be considered to be information on an identifiable natural person.Read more about Recital 26 of GDPR
Read more about Recital 26 of GDPR
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. Recital 26 of Regulation (EU) 2016/679 “GDPR”
Pseudonymized data disclosed to a Recipient
The General Court of the European Union in Case T-557/20, SRB v EDPS clarified that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjectsRead more about the Case T-557/20
Read more about the Case T-557/20
In line with the Court of Justice’s decision in Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland, in order to determine whether pseudonymized information transmitted to a data recipient constitutes personal data, it is necessary to consider the data recipient’s perspective. If the data recipient does not have any additional information enabling it to re-identify the data subjects and has no legal means available to access such information, the transmitted data can be considered anonymized and therefore not personal data. The fact that the data transmitter has the means to re-identify data subjects is irrelevant and does not mean that the transmitted data is automatically also personal data for the recipient. Summary of Case T-557/20, SRB vs EDPS
Online identifiers
Recital 30 of Regulation (EU) 2016/679 “GDPR” gives a broad definition of online identifiers, including elements such as IP addresses, and cookies.| Considered Personal Data? | Source of Law | |
|---|---|---|
| IP Addresses | Yes | Recital 30 of Regulation (EU) 2016/679 “GDPR”, clarified by Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland |
| Cookies | It depends | Recital 30 of Regulation (EU) 2016/679 “GDPR” |
IP Addresses
IP Addresses are definitely considered personal data. However, the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest for OneView, which does not require consent for processing. OneView processes IP Addresses only for the purpose of protecting its network. This is done to ensure that the platform is not abused by malicious actors, for example:- to ensure the availability of the service to all customers
- to mitigate DDoS attacks
- to ban abusive bots
- to prevent unauthorized access to the network
Read more about Recital 47 of GDPR
Read more about Recital 47 of GDPR
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Recital 47 of Regulation (EU) 2016/679 “GDPR”
Read more about Article 6(1) of GDPR
Read more about Article 6(1) of GDPR
Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. Article 6(1) of Regulation (EU) 2016/679 “GDPR”
Frequently Asked Questions about IP Addresses
Does OneView collect users' IP addresses?
Does OneView collect users' IP addresses?
Some Media Partners (optionally) let you add IP addresses in their Conversion API; however, since OneView never stores IP addresses, they will never be populated for any Media Partner Intergation.
Cookies
ePrivacy Directive and its enacting laws in EU Member States are lex specialis to the GDPR, meaning in case of ambiguity, the former applies.
gtag.js) to receive data, including that from cookies, from your website.
Both technologies use cookies only to distinguish between sessions and clients; their identifiers are arbitrary and do not encode any information.
Because the other you may send to OneView (which could be used to identify a natural person) are pseudonymized, it is not possible for OneView to identify your Data Subjects from the data it receives, including that from cookies.
Frequently Asked Questions about Cookie Processing
Does OneView access other cookies on my website?
Does OneView access other cookies on my website?
Does OneView track users without consent?
Does OneView track users without consent?
Key Point: OneView has no ability to bypass, ignore, or circumvent the consent controls you implement. If your Consent Management Platform (CMP) blocks data collection for non-consenting users, that data never reaches OneView.And even in case of a CMP misconfiguration on your website, OneView applies article 25 of GDPR (“Data protection by design and by default”): users with unspecified consent will be treated as users whose consent is denied.
- Your Consent Management Platform (CMP) collects and stores user consent preferences according to your privacy policy and applicable regulations (GDPR, CCPA, etc.)
-
Your website implementation enforces these consent choices by:
- Controlling which scripts and tags load based on consent status
- Determining what data is collected from users
- Deciding which third-party services receive data, including OneView
-
Your GTM/tag configuration acts as the gatekeeper, only sending data to OneView when:
- The user has provided appropriate consent levels
- Your business rules permit data sharing
- The specific data types align with the consent granted
- Receives only the data you explicitly send based on YOUR consent checks
- Processes consent signals you provide to ensure compliance across your marketing ecosystem
- Cannot independently access user data or override your consent decisions
- Helps you maintain regulatory compliance by respecting the consent status you communicate
Does OneView perform device fingerprinting?
Does OneView perform device fingerprinting?
Client-sideNo. Since OneView doesn’t deploy proprietary JavaScript code on your website, browser-based fingerprinting is technically impossible.Server-sideNo. OneView does not perform any form of fingerprinting, and relies solely on the cookie identifiers you send. However, there is no way for you to independently verify this claim - this is an inherent limitation of any third-party service.We’ve architected our system to minimize required trust (hashed data, no client-side code), but cannot eliminate it entirely.If this level of trust is incompatible with your requirements, you can use a server-side implementation for OneView.
Device fingerprinting is legally treated equivalent to cookie-based tracking under ePrivacy, and requires explicit consent. Additionally, major browsers including Safari actively prevent fingerprinting techniques.
If you need verifiable protection against server-side fingerprinting: Send data to OneView from your on-premise Tag Server. This ensures all requests to OneView originate from your single server, making user fingerprinting technically impossible, since we’d only see your server’s characteristics, not individual clients’.