LIA: Purpose 2

A: Identifying a legitimate interest

Question

Answer

Question

Answer

What is the purpose of the processing operation

  • Selection and delivery of an ad based on real-time data (e.g. information about the page content, app type, device type and capabilities, user agent, URL, IP address etc.)

  • Real time data, as referenced above, may be used for positive or negative targeting.

  • processing of non-precise geolocation data to select and deliver an ad

Is the processing necessary to meet one or more specific organisational objectives?

Yes. The processing is necessary to fulfill the company’s core service for its partners: monetizing content in terms of ad delivery. Also: delivery of contextual advertisements to publishers and non-precise geo-targeting, keyword targeting, format selection of advertisements from advertisers.

Is the processing necessary to meet one or more specific objectives of any Third Party?

No.

Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?

No.

Why is the processing activity important to the Controller?

It is important to the controller for fulfilling its contractual liabilities with its partners and to prove to them the provision of these liabilities.

If applicable, why is the processing activity important to Third Parties the data may be disclosed to?

N/A

B: The necessity test

Question

Answer

Question

Answer

Is there an alternative way to achieve the objective without conducting this processing activity?

We have considered any alternative solutions and can find none that meet our purpose

C: The balancing test

Question

Answer

Question

Answer

Would the individual expect the processing activity to take place?

Yes. It is common knowledge that publishers are selling ad spaces on their content, that advertisers pay for it and that these ad spaces are filled with ads that are chosen to the likings/history/interest of the user.

Does the processing add value to a product or service that the individual uses?

Yes. Advertisements that are selected in this way are more interesting and less obtrusive to the individual user.

Is the processing likely to negatively impact the individual’s interests and/or rights?

Not in our view.

Would the processing limit or undermine the rights of individuals?

No in our assessment.

Is the processing likely to result in unwarranted harm or distress to the individual?

We believe not in our assessment.

Would unwarranted harm or distress to the individual occur if the processing did not take place?

Not in our view.

Would there be a prejudice to Data Controller if processing does not happen?

Yes. If processing does not happen, users are submitted to random advertisement selection. Hence, also to those they may find distasteful and/or inapt.

If applicable, would there be a prejudice to the Third Party if processing does not happen?

N/A

Is the processing in the interests of the individual whose personal data it relates to?

Yes. It enables the controller to deliver ads that users find meaningful, apt and useful.

Are the interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?

We believe so.

What is the connection between the individual and the organisation?

Consumer

What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?

Unique User ID (if available), surrounding content, browser, device type, app type/name, URL, IP address.
None of these underly any special protections under GDPR.

Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?

Relationship can be considered periodic, whenever user is presented an ad space that is filled by demand delivered by data controller.

Has the personal information been obtained directly from the individual, or obtained indirectly?

Indirectly. Information is available from online context user is affected by. Upon consent by user for purpose 1, Unique User ID is generated and stored with the user.

Is there any imbalance in who holds the power between the organisation and the individual?

As a service provider in user by the publisher, we assist in publisher’s rightful aim to monetize its content. Users are able to either not use publisher’s service or to block advertisements with so-called ad blocking software.

Is it likely that the individual may expect their information to be used for this purpose?

We are not sure. However, it has become common knowledge that above mentioned information is used for selecting and presenting advertisements to users.

Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?

We do not believe so. We only use ad-hoc personal information as described above or randomly generated unique identifiers that cannot be traced back to an individual.

Is a Fair Processing Notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

Individuals will be informed when they first enter the webpage of one of our partner publishers. Fair Processing Notice and consent will be collected via industry standard consent management platforms.

Can the individual, whose data is being processed, control the processing activity or object to it easily?

The users have all the usual rights under applicable law.

Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?

There is no privacy risk to the individual according to our assessment. Consent for purpose 1 can be declined, limiting available information to mentioned criteria above, each of which is based on the current user specific impression but cannot be associated with an actual individual.

D: Safeguards and compensating controls

Question

Answer

Question

Answer

What existing safeguards are in place?

By definition, we use mentioned data only for the purpose of ad-hoc ad selection and presentation. In addition, we do not collect any user specific data that can be used to associate a user in our system with an actual person. All additional data is only stored in an aggregated manner with respect to either the publisher or the advertiser.

Will any further safeguards be put in place?

N/A

E: Reaching a decision and documenting the outcome

Having carried out the above balancing test and LIA we believe that the policies and procedures we have put in place will ensure that our legitimate interests are not overreached by the rights of individuals whose personal data will be processed according to purpose 2 of the IAB TCF 2.0

Signed by: @Patrick Jähnichen (Unlicensed)

Role: DPO

Date: May 20, 2020

Review date: