What is the purpose of the processing operation

• Receiving and responding to ad requests

• Delivery of ad-files to an IP address

• Receiving and responding to content requests

• Delivery of content files to an IP address

• Logging that an ad was delivered, without recording any personal data about the user

• Logging that content was delivered, without recording any personal data about the user.

Is the processing necessary to meet one or more specific organisational objectives?

Yes. The organization delivers content and advertisements to different ad spaces with different behavior and prerequisites. It is necessary to be able to optimize content and ad delivery with respect to purposes named above in order to fulfill, prove and bill the organization’s service to advertisers.

Is the processing necessary to meet one or more specific objectives of any Third Party?

No.

Does the GDPR, ePrivacy Regulation or other national legislation specifically identify the processing activity as being a legitimate activity, subject to the completion of a balancing test and positive outcome?

No.

Why is the processing activity important to the Controller?

It is important to the Controller as different advertisers and publishers have different requirements and benchmarks for delivery of content or their ad creatives respectively. The Controller has a vital interest to use its resources to the best of its knowledge and utilization.

If applicable, why is the processing activity important to Third Parties the data may be disclosed to?

N/A

Is there an alternative way to achieve the objective without conducting this processing activity?

We have considered any alternative solutions and can find none that meet our purpose

Would the individual expect the processing activity to take place?

The user not necessarily expects this as it affects mainly the business relationship between Controller and publisher or advertiser. However, publishers on whose sites we deliver content and advertisements have a suitable notice in place that inform users of this activity.

Does the processing add value to a product or service that the individual uses?

No.

Is the processing likely to negatively impact the individual’s interests and/or rights?

No.

Would the processing limit or undermine the rights of individuals?

No in our assessment.

Is the processing likely to result in unwarranted harm or distress to the individual?

We believe not based on our assessment.

Would unwarranted harm or distress to the individual occur if the processing did not take place?

Not in our view.

Would there be a prejudice to Data Controller if processing does not happen?

No.

If applicable, would there be a prejudice to the Third Party if processing does not happen?

N/A

Is the processing in the interests of the individual whose personal data it relates to?

Yes, as it ensures proper payment of ad spaces, resulting payouts to publishers and thus a stable supply to the user.

Are the interests of the individual aligned with the party looking to rely on their legitimate interests for the processing?

We believe so.

What is the connection between the individual and the organisation?

Consumer

What is the nature of the data to be processed? Does data of this nature have any special protections under GDPR?

Data gets collected in reaction to content delivery or ad delivery requests. This data enjoys no special protections under GDPR.

Is there a two-way relationship in place between the organisation and the individual whose personal information is going to be processed? If so how close is that relationship?

Relationship can be considered periodic, whenever user is presented an ad space that is filled by demand delivered by data controller.

Has the personal information been obtained directly from the individual, or obtained indirectly?

Indirectly. Information gets collected automatically as soon as content or ad is requested by and gets delivered to user’s browsing client.

Is there any imbalance in who holds the power between the organisation and the individual?

Not in our assessment. As a service provider in use by the publisher, we assist in publisher’s rightful aim to monetize its content. Users are able to either not use publisher’s service or to block content/advertisements with so-called ad blocking software.

Is it likely that the individual may expect their information to be used for this purpose?

We are not sure. However, ad spots in which our content is delivered are clearly marked as such. Also, it is common knowledge that delivering additional content/advertisements on ad spots is a commercial activity and thus needs to be measured in order to be billed.

Could the processing be considered intrusive or inappropriate? In particular, could it be perceived as such by the individual or in the context of the relationship?

We do not believe so.

Is a Fair Processing Notice provided to the individual, if so, how? Are they sufficiently clear and up front regarding the purposes of the processing?

Individuals will be informed when they first enter the webpage of one of our partner publishers. Fair Processing Notice and consent will be collected via industry standard consent management platforms.

Can the individual, whose data is being processed, control the processing activity or object to it easily?

The users have all the usual rights under applicable law.

Can the scope of the processing be modified to reduce/mitigate any underlying privacy risks or harms?

No, there is no privacy risk to the individual according to our assessment.

What existing safeguards are in place?

We do not collect any user specific data that can be used to associate a user in our system with an actual person. IP Addresses are anonymized. Collected data are stored in our data processing center located in Germany. We use encrypted connections to record and collect the data and retain such not longer as is necessary for fulfilling the above defined purpose.

Will any further safeguards be put in place?

N/A