Data Rules for AdTech Under the GDPR

For those living in blissful ignorance: starting from May 25th 2018 a new General Data Protection Regulation (GDPR) will enter into force, which sets forth new data protection obligations that all companies that in any manner process any personal data (so basically any active company in existence) will have to adhere to.
Hereby we provide a basic but hopefully informative overview of the key elements and obligation from the perspective of the advertisement industry (or AdTech) that must be taken into account once the regulation enters into force. Although the regulation is still a few months away, it takes a while to reorganise the data processing manners of the company, so it is advisable even to small and medium-sized enterprises to start preparing for the changes.

What Constitutes as personal data?

In short, personal data is any data which can be used to directly or indirectly identify the person. Hence, personal data can be anything from a name, photo, email address, bank details, posts on social networking websites, consumer behaviour data, location data, medical information or even the IP address. If the information cannot be associated with an individual person it is not personal information and thus is not regulated by the GDPR. Therefore, all information that is anonymous or depersonalized is excluded from GDPR regulation (for example, general statistical data). This means that Adtech companies can avoid many of the GDPR obligations if the personal data is anonymous or depersonalized and cannot be reversed back to an individual person.

What is data processing?

A processing means any operation or set of operations which is performed with personal data. For example collecting, recording, organizing, storing, analyzing, changing, enrichment, using and transferring to other parties are all forms of data processing and thereby regulated by GDPR.

General data processing obligations

There are general data processing obligations which must be complied with, mainly the following:
There must exist a lawful basis for data processing: for example data subject’s consent (typically: acceptance of Privacy Policy), data processing is necessary to provide services to the customer or the right to process is explicitly stated in the law. If you do not have a lawful basis for data processing you cannot use the data.
The company must have sufficient technical and organizational measures in place to protect the data from being exposed to unauthorized third parties. Depending on how sensitive is your personal data the higher is the technical standard (for example medical data should be encrypted).
In addition to the general obligations, there are several new and specific obligations described below which many of the AdTech companies must follow.

Recording company’s personal data processing activities

If the AdTech company gains access to at least some personal data of the advertisement subjects, it is obliged to create a record of the company’s personal data processing activities. The record must include general overview regarding which data is processed, for what purposes is the data processed, the information about the processor, to whom the data is transferred and overview regarding how long is the data kept and how is it protected.
This record must be kept in a written form and you can use Excel, Word or specific service providers for the recordkeeping.

Carrying out a data protection impact assessment

Impact assessment is a document assessing whether the data processing activities of the company would constitute a high risk to the rights or freedoms of the data subjects. The obligation to carry out impact assessment arises if the company, after May 25th 2017, starts using a new technology in its data processing activities or otherwise engages in a new data processing activity, which results in a high risk to the rights and freedoms of data subjects (which is probable if the company is processing personal data of thousands of people). Thus, new automated data processing activities to, for example, decide which advertisements to direct to which customers (with a name and face), may typically fall under this category.

Appointing a Data Protection Officer (DPO)

Who is a DPO? In short, a data protection officer is a person designated by the company who is responsible for making sure that the organization follows the data protection regulations. The data protection officer may be an employee within the company but must have expert knowledge on the data protection regulations and standards and be able to fulfil the DPO’s obligations established in the law.

Not all companies have to appoint a DPO. However, the business model of many AdTech companies results in the company gaining access to personal data of a large number of people. For the AdTech companies, the rule of thumb is that if the company gains access to the personal data of the individual customers it is most likely obliged to appoint a data protection officer. If the personal data includes medical data, biometrical data, political/philosophical beliefs or other sensitive data, the DPO must be appointed without exceptions.

What if I am merely processing data on behalf of my client?

GDPR continues with the data processor and data controller duality. In essence, a data controller is an entity responsible for data processing. Data processor is merely an authorized entity to carry out certain elements of data processing on behalf and under the permission of the data controller. The processor may not process the data for any other reason nor use the data in any other manner, than explicitly for the purpose the data controller foresees. Therefore, it is possible that a number of AdTech companies can be regarded merely as data processors.
The data processors must have technical and organizational measures in place to ensure the sufficient protection of data and the processor may only process the data in accordance with the agreement that has been agreed with the data controller.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data