LIA: Special Purpose 1

A: Identifying a legitimate interest





What is the purpose of the processing operation

  • Monitoring, preventing ex and post ante:

    • General Invalid Traffic Detection and Blocking

    • Sophisticated Invalid Traffic Detection and Blocking

      • Automated Browsing, Dedicated Device

      • Automated Browsing, Non-Dedicated Device

      • Incentivized Human Activity

      • Manipulated Human activity

      • Falsified Measurement Events

      • Domain Misrepresentation

      • Hidden Ads

  • Process of identifying product errors - making products work (not improving them)

  • Ensuring operability of the system/platform.

Is the processing necessary to meet one or more specific organisational objectives?

Yes. The organization delivers advertisements to different ad spaces with different behavior and prerequisites. It is necessary to be able to optimize ad delivery with respect to measures named above in order to fulfill, prove and bill the organization’s service to advertisers.

Is the processing necessary to meet one or more specific objectives of any Third Party?


Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?


Why is the processing activity important to the Controller?

It is important to the Controller as different advertisers have different requirements and benchmarks for delivery of their ad creatives. The Controller has a vital interest to use its resources to the best of its knowledge and utilization.

If applicable, why is the processing activity important to Third Parties the data may be disclosed to?


B: The necessity test





Is there an alternative way to achieve the objective without conducting this processing activity?

We have considered any alternative solutions and can find none that meet our purpose

C: The balancing test





Would the individual expect the processing activity to take place?

The user not necessarily expects this as it affects mainly the business relationship between Controller and advertiser. However, publishers on whose sites we deliver advertisements have a suitable notice in place that inform users of this activity.

Does the processing add value to a product or service that the individual uses?


Is the processing likely to negatively impact the individual’s interests and/or rights?


Would the processing limit or undermine the rights of individuals?

No in our assessment.

Is the processing likely to result in unwarranted harm or distress to the individual?

We believe not based on our assessment.

Would unwarranted harm or distress to the individual occur if the processing did not take place?

Not in our view.

Would there be a prejudice to Data Controller if processing does not happen?


If applicable, would there be a prejudice to the Third Party if processing does not happen?


Is the processing in the interests of the individual whose personal data it relates to?

Yes, as it ensures proper payment of ad spaces, resulting payouts to publishers and thus a stable supply to the user.

Are the interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?

We believe so.

What is the connection between the individual and the organisation?


What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?

Data gets collected by measuring single web requests upon specific states and/or user actions the advertisement undergoes (e.g. ad visibility changes, error states, detected suspicious behavior etc.). This data enjoys no special protections under GDPR.

Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?

Relationship can be considered periodic, whenever user is presented an ad space that is filled by demand delivered by data controller.

Has the personal information been obtained directly from the individual, or obtained indirectly?

Indirectly. Information gets collected automatically as soon as ad is presented to user.

Is there any imbalance in who holds the power between the organisation and the individual?

Not in our assessment. As a service provider in use by the publisher, we assist in publisher’s rightful aim to monetize its content. Users are able to either not use publisher’s service or to block advertisements with so-called ad blocking software.

Is it likely that the individual may expect their information to be used for this purpose?

We are not sure. However, it is common knowledge that delivering advertisements on ad spots is a commercial activity and thus needs to be measured in order to be billed.

Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?

We do not believe so.

Is a Fair Processing Notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

Individuals will be informed when they first enter the webpage of one of our partner publishers. Fair Processing Notice and consent will be collected via industry standard consent management platforms.

Can the individual, whose data is being processed, control the processing activity or object to it easily?

The users have all the usual rights under applicable law.

Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?

No, there is no privacy risk to the individual according to our assessment.

D: Safeguards and compensating controls





What existing safeguards are in place?

We do not collect any user specific data that can be used to associate a user in our system with an actual person. All additional data is only stored in an aggregated manner with respect to either the publisher or the advertiser.

Will any further safeguards be put in place?


E: Reaching a decision and documenting the outcome

Having carried out the above balancing test and LIA we believe that the policies and procedures we have put in place will ensure that our legitimate interests are not overreached by the rights of individuals whose personal data will be processed according to special purpose 1 of the IAB TCF 2.0

Signed by: @Patrick Jähnichen

Role: DPO

Date: May 20, 2020

Review date: