WebAds Interactive Advertising BV, WebAds Srl, WebAds Interactive SL,
hereafter WebAds, declare the following:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
'visitor' means a natural person that visits a website in the WebAds publisher network.
'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
'third party' means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
'consent UI' means a user interface where visitor can grant or revoke consent to processing and storage of personal data;
'consent management provider' means the system where the consent expressed in the consent UI is stored and managed.
Contents
1.12 Consent Management Provider
4.3 The right to rectification
4.5 The right to restrict processing
4.6 The right to data portability
4.8 Rights in relation to automated decision making and profiling
6.1 WebAds Interactive Advertising BV
The scope of this document is limited to:
i. the situation where visitor is exposed to WebAds ad serving technology
ii. the WebAds Publisher Network
iii. a declaration of conformity with EU Regulation 2016/679 commonly known as the General Data Protection Regulation.
Under these limitations, his document states what personal data is being processed, what rights visitor has regarding the processing of this data, the procedures involved and what legal entities are involved.
An IP address is the virtual location in an IP network where the visitor can be reached. There is no direct relationship between IP address and geographic location. An IP address is analogous to a post office box. An IP address is considered personal data since the number of persons addressable with the IP address is limited.
Visitors in our network expose their IP address to WebAds. This happens when a visitor places a HTTP request to one of our webservers. WebAds does not process IP addresses for purposes other than:
i. addressing its responses to HTTP requests
ii. financial bookkeeping
iii. fraud prevention
When visitors expose their IP address to one of WebAds' webservers, it is stored in the logs of the webserver.
Since the IP address is necessary for a webserver to deliver a proper response to the visitor upon request, the request is considered implicit consent to process and store the IP address in the webserver.
Since the IP address is evidence of delivery fulfilment and in the prevention of fraud with bot nets and other forms of non-human traffic, WebAds has legitimate interest in processing and storing IP addresses.
The interests of the visitor are balanced against this legitimate interest by restricting the retention period as set out in article 5.2.
The IP address is not shared with other recipients.
The IP address is not shared with third parties.
An ad unit is a portion of a website reserved for advertisements. Ad unit recency consists of a unique identifier, a date and time on which a user was last exposed to that specific ad unit.
Some ad units are more intrusive to the user experience than others. To balance ad monetization and user experience, WebAds limits the frequency of ad units by calculating the amount of time that passed since the last time a visitor was exposed to a specific ad unit.
Ad unit recency is stored client side in the cookie of the page the visitor visits.
From the ad unit recency, it can be derived when a visitor last visited this website. This is a form of behavioural profiling. WebAds seeks consent to use and store recency from the visitor through its Consent UI or 3rd party Consent Management Provider. Withholding consent will disable frequency and recency control, resulting in more and more intrusive ads.
Ad unit recency is not actively shared with other recipients. However, with some effort data stored in the cookie of the page can be accessed by anyone with access to the main document.
Ad unit recency
is not actively shared with other third parties. However, with some effort data
stored in the cookie of the page can be accessed by anyone with access to the
main document.
The visitor has the right to be informed about the processing and storage of their personal data by WebAds. This right is covered by this privacy policy. This privacy policy is available through the WebAds Consent UI and third-party Consent UI's. The WebAds Consent UI can be accessed through the privacy fingerprint button shown on websites in the WebAds Publisher Network. Third party Consent UI's have similar points of access.
The visitor has the right to access their personal data stored by WebAds. This right is covered by the data disclosure procedure set out in article 5.3.
The visitor has the right to have inaccurate personal data rectified. Since the personal data described in article 3 does not leave room for interpretation, a request for rectification will be considered a request for erasure. The procedure for this request is set out in article 5.4.
The visitor has the right of have personal data erased. This right is covered by the data destruction procedure set out in article 5.4
The visitor has the right to request restriction or suppression of their personal data. For the data described in article 3.1 a request for restriction will be considered a request for erasure. The procedure for this request is set out in article 5.4
For the data described in article 3.2 storage and processing only takes place on the visitor's computer. Visitor can restrict storage and processing by revoking consent through the Consent UI.
The visitor has the right to data portability. The data described in article 3 are not of generic nature. A request for data transfer will be considered a request for access. The procedure for this request is set out in article 5.3
The visitor has the right to object to the processing of their personal data. For the data described in article 3.1 objection will be considered a request for erasure. The procedure for this request is set out in article 5.4
For the data described in article 3.2 storage and processing only takes place on the visitor's computer. Visitor can restrict storage and processing by revoking consent through the Consent UI.
The visitor has the right to limit the influence of automated decision making and profiling. The data described in article 3.2 is used for automated decision making and profiling. Storage and processing of this data only takes place on the visitor's computer. Visitor can restrict storage, processing and thus automated decision making and profiling by revoking consent through the Consent UI.
WebAds has appointed a Data Protection Officer as a central point of access for all visitors regarding all issues concerning the processing and storage of personal data. The DPO can be reached by email through dpo@webads.eu of phone: +31 (0) 20 62 616 34
The IP address as described in article 3.1 is stored in the logs of a webserver. This data is not replicated besides:
i. Virtual Machine snapshots
The IP address does not leave the datacentre. The datacentre is certified according to:
i. ISO 9001
ii. ISO 27001
iii. ISO 14001
iv. NEN 7510
v. PCI DSS
The IP address is only accessible by WebAds employees in the technical department that where trained for server maintenance and database administration. The IP address is only shared with:
i. Visitor that can prove access to the IP Address.
ii. The Data Protection Officer as described in article 4.9.
Reporting to colleagues, management, clients and others is limited to meta data derived from the IP address. This meta data is anonymized.
Ad unit recency as described in article 3.2 is stored client side in the browser of the visitor. Ad Unit recency is public, not critical, not replicated and unprotected.
The IP address as described in article 3.1 is stored in the logs of a webserver. These logs have automatic log rotation. Data is automatically deleted every 4 weeks.
Virtual Machine snapshots renew every 4 hours. The previous snapshot is deleted in the process.
Ad unit recency as described in article 3.2 is stored client side in the browser of the visitor. The retention period for ad unit recency depends on the default cookie lifetime of the browser.
The log entries containing the IP address as described in article 3.1 will be disclosed to a visitor that can prove to have access to the IP address.
That visitor can address a request for information to the Data Protection Officer as described in article 4.9.
The log entries containing the IP address as described in article 3.1 will be destroyed upon verified request from a visitor that can prove to have access to the IP address.
That visitor can address a request for information to the Data Protection Officer as described in article 4.9.
The legal entities declaring this privacy policy are:
Keizersgracht 256
1016 EV Amsterdam
The Netherlands
Registered under:
KVK te Amsterdam
34248860
Via Olmetto 21
I-20123 Milano
Italy
Registered under:
Code Fiscale
01280390558
Numero Rea
01280390558 1784438
Calle Bravo Murillo 50 1 A
Madrid 28
Spain
Registered under:
Mercantil de Madrid
Hoja M-491067
Tomo 27256
Folio 182
C.I.F.B-85828937