LIA: Purpose 8

A: Identifying a legitimate interest

Question

Answer

Question

Answer

What is the purpose of the processing operation

  • Measure how many users engaged with content, for how long and what was the nature of that engagement (click, tap, hover, scroll etc.)

  • Determine how many unique users or devices content was served to

  • Measure the time when users saw content

  • Measure/ analyse the characteristics of the device content was served to (non-precise location, type of device, screen size, language of the device, operating system/browser, mobile carrier)

  • Measure user referrals

Is the processing necessary to meet one or more specific organisational objectives?

Yes. The organization provides content to be displayed in different ad spaces for different publishers, adding a value to them and helping publishers to monetize their content. It is necessary to be able to optimize content delivery with respect to purposes named above in order to fulfill, prove and bill the organization’s service to publishers.

Is the processing necessary to meet one or more specific objectives of any Third Party?

No.

Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?

No.

Why is the processing activity important to the Controller?

It is important to the Controller as different publishers have different requirements and benchmarks for delivery of content into their ad spaces. The Controller has a vital interest to use its resources to the best of its knowledge and utilization.

If applicable, why is the processing activity important to Third Parties the data may be disclosed to?

N/A

B: The necessity test

Question

Answer

Question

Answer

Is there an alternative way to achieve the objective without conducting this processing activity?

We have considered any alternative solutions and can find none that meet our purpose

C: The balancing test

Question

Answer

Question

Answer

Would the individual expect the processing activity to take place?

The user not necessarily expects this as it affects mainly the business relationship between Controller and publisher. However, publishers on whose sites we deliver content have a suitable notice in place that inform users of this activity.

Does the processing add value to a product or service that the individual uses?

No.

Is the processing likely to negatively impact the individual’s interests and/or rights?

No.

Would the processing limit or undermine the rights of individuals?

No in our assessment.

Is the processing likely to result in unwarranted harm or distress to the individual?

We believe not based on our assessment.

Would unwarranted harm or distress to the individual occur if the processing did not take place?

Not in our view.

Would there be a prejudice to Data Controller if processing does not happen?

No.

If applicable, would there be a prejudice to the Third Party if processing does not happen?

N/A

Is the processing in the interests of the individual whose personal data it relates to?

Yes, as it ensures proper payment of content delivery, its monetization, resulting payouts to publishers and thus a stable supply to the user.

Are the interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?

We believe so.

What is the connection between the individual and the organisation?

Consumer

What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?

Data gets collected by measuring single web requests upon specific states and/or user actions the content undergoes (e.g. player loaded, start of the content, first quarter of contend played, content complete, content unmuted etc.). This data enjoys no special protections under GDPR.

Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?

Relationship can be considered periodic, whenever user is presented an ad space that is filled by demand delivered by data controller.

Has the personal information been obtained directly from the individual, or obtained indirectly?

Indirectly. Information gets collected automatically as soon as content is presented to user.

Is there any imbalance in who holds the power between the organisation and the individual?

Not in our assessment. As a service provider in use by the publisher, we assist in publisher’s rightful aim to monetize its content. Users are able to either not use publisher’s service or to block ad spots and consequently content delivery with so-called ad blocking software.

Is it likely that the individual may expect their information to be used for this purpose?

We are not sure. However, ad spots on which we deliver content are clearly marked and it is common knowledge that delivering content on ad spots is a commercial activity and thus needs to be measured in order to be billed.

Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?

We do not believe so.

Is a Fair Processing Notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

Individuals will be informed when they first enter the webpage of one of our partner publishers. Fair Processing Notice and consent will be collected via industry standard consent management platforms.

Can the individual, whose data is being processed, control the processing activity or object to it easily?

The users have all the usual rights under applicable law.

Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?

No, there is no privacy risk to the individual according to our assessment.

D: Safeguards and compensating controls

Question

Answer

Question

Answer

What existing safeguards are in place?

We do not collect any user specific data that can be used to associate a user in our system with an actual person. All additional data is only stored in an aggregated manner with respect to either the publisher or the advertiser.

Will any further safeguards be put in place?

N/A

E: Reaching a decision and documenting the outcome

Having carried out the above balancing test and LIA we believe that the policies and procedures we have put in place will ensure that our legitimate interests are not overreached by the rights of individuals whose personal data will be processed according to purpose 8 of the IAB TCF 2.0

Signed by: @Patrick Jähnichen (Unlicensed)

Role: DPO

Date: May 20, 2020

Review date: