Would the individual expect the processing activity to take place?
The user not necessarily expects this as it affects mainly the business relationship between Controller and publisher. However, publishers on whose sites we deliver content have a suitable notice in place that inform users of this activity.
Does the processing add value to a product or service that the individual uses?
Is the processing likely to negatively impact the individual’s interests and/or rights?
Would the processing limit or undermine the rights of individuals?
No in our assessment.
Is the processing likely to result in unwarranted harm or distress to the individual?
We believe not based on our assessment.
Would unwarranted harm or distress to the individual occur if the processing did not take place?
Not in our view.
Would there be a prejudice to Data Controller if processing does not happen?
If applicable, would there be a prejudice to the Third Party if processing does not happen?
Is the processing in the interests of the individual whose personal data it relates to?
Yes, as it ensures proper payment of content delivery, its monetization, resulting payouts to publishers and thus a stable supply to the user.
Are the interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?
We believe so.
What is the connection between the individual and the organisation?
What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?
Data gets collected by measuring single web requests upon specific states and/or user actions the content undergoes (e.g. player loaded, start of the content, first quarter of contend played, content complete, content unmuted etc.). This data enjoys no special protections under GDPR.
Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?
Relationship can be considered periodic, whenever user is presented an ad space that is filled by demand delivered by data controller.
Has the personal information been obtained directly from the individual, or obtained indirectly?
Indirectly. Information gets collected automatically as soon as content is presented to user.
Is there any imbalance in who holds the power between the organisation and the individual?
Not in our assessment. As a service provider in use by the publisher, we assist in publisher’s rightful aim to monetize its content. Users are able to either not use publisher’s service or to block ad spots and consequently content delivery with so-called ad blocking software.
Is it likely that the individual may expect their information to be used for this purpose?
We are not sure. However, ad spots on which we deliver content are clearly marked and it is common knowledge that delivering content on ad spots is a commercial activity and thus needs to be measured in order to be billed.
Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?
We do not believe so.
Is a Fair Processing Notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?
Individuals will be informed when they first enter the webpage of one of our partner publishers. Fair Processing Notice and consent will be collected via industry standard consent management platforms.
Can the individual, whose data is being processed, control the processing activity or object to it easily?
The users have all the usual rights under applicable law.
Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?
No, there is no privacy risk to the individual according to our assessment.