GDPR & ExoClick

This blog post does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.


What is GDPR?

GDPR takes effect on May 25, 2018, replacing the existing Data Protection Directive 95/46/EC in order to harmonise data privacy laws across Europe (including the U.K.), to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.


Who is GDPR affecting?

It will affect all EU organisations as well as organisations outside of the EU that offer goods or services to, or process personal data of, EU data subjects.


What happens if you don’t comply?

Organizations in non-compliance may face heavy fines (up to 4% of annual global turnover or €20 Million, whichever is greater).


What is personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

There are two sub-categories of personal data:

  1. Personally identifiable information (PII) such as a person’s name, surname, phone numbers, etc…
  2. Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviors (for instance to serve the right ad to the right user at the right moment). Examples: cookie ID, hashed email, device ID …

The GDPR establishes a clear distinction between directly identifying information and pseudonymous data. It encourages the use of pseudonymous information and expressly provides that “the application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations”.


What is a data controller and a data processor?

This distinction is important for compliance and here are the exact definitions of each role:
Data Controller
A company/organisation that collects people’s personal data and makes decisions about what to do with it. So if you’re collecting personal data and are determining how it will be processed, you’re the Controller of that data and must comply with applicable data privacy legislation accordingly.
Data Processor
A company/organisation that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.


What is the role of ExoClick in GDPR context?

As an ad network and ad exchange, ExoClick acts as a co-data controller, together with our Publishers.


What is ExoClick doing about it?

ExoClick has been preparing for GDPR since 2017. We have been reviewing our data security and data protection protocols and policies across the company to comply with GDPR requirements.

More concretely we respect and apply the data minimization principle, making sure that we don’t collect more information than what is strictly necessary for the purpose of our services.

Also, we only use pseudonymous data which cannot lead to the personal identification of a European subject, ExoClick is not able to know the identity of the user.

Finally, we are applying the privacy-by-design concept, which consist of taking into account data privacy throughout the whole engineering process.


What personal data is ExoClick using?

At ExoClick, we do not collect or retain any consumer personally identifiable information (PII). This means our data does not directly identify any individuals (i.e. name, email address, or billing information). That said, the GDPR broadens the definition of personal data to include the data that we collect for the purpose of our services. More precisely we use pseudonymous data linked to browsing events. For instance, ExoClick collects the following data from its Publisher’s visitors:

  • URL of the websites and pages browsed by the visitors;
  • Aggregated technical information related to the browser and device of the user (“user agent”)
  • Time stamp (date, time)
  • ExoClick Cookie
  • IP address
  • Country


Is ExoClick compliant with GDPR?

In our standard terms with partners and clients, ExoClick always undertakes to comply with all applicable laws and regulations. This of course covers GDPR.

We have always innovated and followed industry best practices, standards and regulations. Data privacy has always been part of our priorities.

ExoClick is committed to helping you understand and prepare for the General Data Protection Regulation (GDPR) and more posts and information will be published soon.

Giles Hirst