Privacy
GDPR and Personal Data
Understanding GDPR for OneView customers
Introduction
TL;DR - OneView does not process Personal Data as defined in Article 4(1) of Regulation (EU) 2016/679 “GDPR” for the purpose of fulfilling the contractual agreement with you.
What is Personal Data?
| Definition | ||
|---|---|---|
| Personal Data | ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; | Article 4(1) of Regulation (EU) 2016/679 “GDPR” |
| Pseudonymized Data | ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; | Article 4(5) of Regulation (EU) 2016/679 “GDPR” |
| Anonymized Data | […] ‘anonymous information’, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
| Identifiable Person | […] To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. […] | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
Who is involved?
Some more definition that are relevant to the GDPR, by defining| Role | Definition | |
|---|---|---|
| Data Subject (your users) | Defined together with Personal Data (see above) | |
| Data Controller (you) | ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; | Article 4(7) of Regulation (EU) 2016/679 “GDPR” |
| Data Recepient | ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; | Article 4(9) of Regulation (EU) 2016/679 “GDPR” |
Pseudonymized Data
OneView uses identifiers hashed with SHA-256 in your Identity Graph. This ensures that data is securely pseudonymized, as it cannot be re-identified without the original data.
If you use Media Partners with Enhanced Targeting, make sure you align your Privacy Policy and gather consent for this purpose. Based on the data they receive from OneView, these Media Partners will be able to re-identify your Data Subjects across . Learn more.
| Usage | Considered Personal Data? | Source of Law |
|---|---|---|
| Directly used by the Data Controller | Yes | Recital 26 of Regulation (EU) 2016/679 “GDPR” |
| Disclosed to a Recepient | No, unless the Recepient has the means to re-identify the Data Subject | Recital 26 of Regulation (EU) 2016/679 “GDPR”, clarified by Case T-557/20, SRB v EDPS |
Pseudonymized data used by the Data Controller
Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of should be considered to be information on an identifiable natural person.Read more about Recital 26 of GDPR
Read more about Recital 26 of GDPR
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. Recital 26 of Regulation (EU) 2016/679 “GDPR”
Pseudonymized data disclosed to a Recipient
The General Court of the European Union in Case T-557/20, SRB v EDPS clarified that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjectsRead more about the Case T-557/20
Read more about the Case T-557/20
In line with the Court of Justice’s decision in Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland, in order to determine whether pseudonymized information transmitted to a data recipient constitutes personal data, it is necessary to consider the data recipient’s perspective. If the data recipient does not have any additional information enabling it to re-identify the data subjects and has no legal means available to access such information, the transmitted data can be considered anonymized and therefore not personal data. The fact that the data transmitter has the means to re-identify data subjects is irrelevant and does not mean that the transmitted data is automatically also personal data for the recipient. Summary of Case T-557/20, SRB vs EDPS
Online identifiers
Recital 30 of Regulation (EU) 2016/679 “GDPR” gives a broad definition of online identifiers, including elements such as IP addresses, and cookies.| Considered Personal Data? | Source of Law | |
|---|---|---|
| IP Addresses | Yes | Recital 30 of Regulation (EU) 2016/679 “GDPR”, clarified by Case C-582/14, Patrick Breyer v Bundesrepublik Deutschland |
| Cookies | It depends | Recital 30 of Regulation (EU) 2016/679 “GDPR” |
IP Addresses
IP Addresses are definitely considered personal data. However, the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest for OneView, which does not require consent for processing. OneView processes IP Addresses only for the purpose of protecting its network. This is done to ensure that the platform is not abused by malicious actors, for example:- to ensure the availability of the service to all customers
- to mitigate DDoS attacks
- to ban abusive bots
- to prevent unauthorized access to the network
Read more about Recital 47 of GDPR
Read more about Recital 47 of GDPR
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Recital 47 of Regulation (EU) 2016/679 “GDPR”
Read more about Article 6(1) of GDPR
Read more about Article 6(1) of GDPR
Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. Article 6(1) of Regulation (EU) 2016/679 “GDPR”
Cookies
ePrivacy Directive and its enacting laws in EU Member States are lex specialis to the GDPR, meaning in case of ambiguity, the former applies.
gtag.js) to receive data, including that from cookies, from your website.
Both technologies use cookies only to distinguish between sessions and clients; their identifiers are arbitrary and do not encode any information.
Because the other you may send to OneView (which could be used to identify a natural person) are pseudonymized, it is not possible for OneView to identify your Data Subjects from the data it receives, including that from cookies.