OVERVIEW

On 25 May 2018, the EU General Data Protection Regulation (“GDPR”) comes into force, replacing the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

PIXALATE IS GDPR READY

As detailed below, we have taken significant administrative and technical measures to ensure our GDPR compliance. We have confirmed our legal basis for processing of personal data in accordance with the GDPR, assessed and improved our data governance infrastructure, identified our key compliance stakeholders, adopted business partner qualification processes, implemented and documented our information security measures, established processes to deal with potential breaches, adopted the Privacy Shield frameworks for our transfers of data from the European Economic Area (EEA) to the US, and updated our Privacy Policy to provide greater transparency.

FRAUD PREVENTION IS OUR LEGAL BASIS FOR PROCESSING OF PERSONAL DATA

Article 6 of the GDPR provides a right to process personal data to further legitimate interests, provided that doing so will not infringe adversely upon the fundamental rights and freedoms of individuals. Recital 47 of the GDPR states expressly that the “processing of personal data strictly necessary for the purposes of preventing fraud” constitutes a legitimate interest, and such provision serves as our legal basis for the processing of personal data under the GDPR.

WE ALIGN OUR BUSINESS PARTNER QUALIFICATION PROCESSES WITH OUR FRAUD PREVENTION MISSION

In order to protect the digital advertising supply chain and prevent fraud, we limit our business relationships to legitimate enterprises that demonstrate a shared interest in detecting and filtering invalid traffic (“IVT”). Each vendor that we utilize to process personal information goes through our rigorous selection process, and our contracts relating to European data subjects are designed to ensure that all processing of personal data is in accordance with the GDPR.

For both our vendor and client relationships, we periodically assess the suitability, fairness of presentation, and effectiveness of our business partners’ IVT-related processes and procedures. Because our contracts are aligned with our fraud prevention objectives, we are able to initiate expeditious termination of agreements in the event that diligence identifies non-compliance.1

1 Because we make extensive use of Amazon Web Services (“AWS”) and the Google Cloud Platform, it is important to note that the EU data protection authorities, acting collectively as the Article 29 Working Party, have approved: (i) Google’s “model contracts” based agreements for its Cloud Platform, and (ii) Amazon’s AWS Data Processing Agreement (DPA).

WE RELY UPON THE MODEL CONTRACTS AND THE EU-US AND SWISS-US PRIVACY SHIELD FRAMEWORKS FOR OUR INTERNATIONAL DATA TRANSFERS

The GDPR provides several mechanisms to facilitate transfers of personal data outside of the EU. Each of these mechanisms is aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred outside of the EU. Appropriate safeguards can be provided for by the model contracts for the transfer of personal data to non-EU countries.

An adequate level of protection can be confirmed by adequacy decisions such as the ones that support the EU-US and Swiss-US Privacy Shield frameworks. Designed by the US Department of Commerce and the European Commission and Swiss Administration, the frameworks provide companies with a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US.

We rely upon both model contracts, and certification under the Privacy Shield frameworks, as bases for US-based processing of personal data regarding EU data subjects. Going forward, we intend to maintain reasonable and appropriate mechanisms to facilitate transfers of personal data outside of the EU as required by the GDPR.

WE ARE COMMITTED TO DATA PROTECTION, CONDUCT PRIVACY IMPACT ASSESSMENTS AND UNDERGO ANNUAL AUDIT PROCEDURES TIED TO COBIT

We are accredited for sophisticated invalid traffic (SIVT) detection and filtration for desktop and mobile web impressions by the Media Ratings Council (“MRC”). In connection with our MRC accreditation, an independent auditing firm performs testing procedures annually, including information technology (“IT”) security procedures pursuant to COBIT. We also leverage the Information Systems Audit and Control Association (ISACA)’s Privacy Principles for GDPR Compliance, which are aligned with COBIT and GDPR Article 35.

WE HAVE UPDATED OUR PRIVACY POLICY TO PROVIDE GREATER TRANSPARENCY

Effective May 18, 2018, we updated our Privacy Policy. Our updated policy details the types of data we collect and the technologies utilized to collect such data. It makes clear that we use this collected data to analyze the quality of digital advertising opportunities, provide digital advertising inventory fraud detection services, and generate our digital advertising inventory quality-related rankings, reports and indices. If you have any questions about our Privacy Policy, or our GDPR compliance efforts, you may contact our Data Protection Officer (DPO) by writing to privacy@pixalate.com.