GDPR FAQs, The MediaGrid¶
Last Updated: Dec 17, 2018
What entity is covered by these FAQs?
Rights and obligations of Controllers and Processors under GDPR
Is The MediaGrid a controller or a processor under GDPR?
What personal data does The MediaGrid process for the purposes of GDPR?
What is the purpose for the personal data you process?
Do you share personal data you collect with other third parties?
Do you follow the IAB Transparency & Consent framework?
What Bid Request fields is The MediaGrid going to populate and how in order to support the IAB framework?
What consent is required for The MediaGrid?
Is The MediaGrid registering with IAB to be included in their GDPR vendor list?
Will The MediaGrid send a bid request to a DSP where user consent has not been given in the bid stream?
How will The MediaGrid handle user consent in regards to cookie-matching?
Is The MediaGrid going to audit creative snippets returned by DSPs in bid responses?
Will The MediaGrid continue to trade media with all partners - those on the consent route and on the legitimate interest?
How will The MediaGrid support the rights of data subjects under GDPR, including erasure, portability, access, information, rectification, etc?
Do we need to update our contract with you?
Does The MediaGrid have a Data Protection Officer (or DPO)?
Who can I contact for more information?
What is GDPR?¶
The General Data Protection Regulation, or GDPR, is the name of the EU’s new laws on data protection and security which becomes law across all EU member states on May 25, 2018. It is intended to strengthen and protect the personal data of data subjects and give those data subjects more control over their personal data. It does this by placing new obligations on all organizations that market, track, or handle personal data within one or more EU member states. The scope of the GDPR includes any personal data that leaves and/or enters any EU member state and therefore organizations located outside the EU involved in such data transfers will also need to comply with the GDPR.
What entity is covered by these FAQs?¶
These FAQs relate to The MediaGrid GmbH and cover the various services and products that process personal data as defined by GDPR on behalf of our customers and partners.
Rights and obligations of Controllers and Processors under GDPR¶
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, given that they have a legal basis to do so, while the processor is an entity that processes personal data on behalf of a controller.
Controller responsibilities according to GDPR:
Determine and communicate basis for collecting and processing personal data
Obtain informed consent from users, if determined necessary based on business uses
Inform data subjects as to how their personal data will be used and processed
Collect, process, and store personal data lawfully and securely
Ensure all partners, to whom personal data is passed, are also GDPR compliant
Act on any data subject requests regarding the use and processing of their personal data
Processors collect and handle data as it is passed down from a controller. Processors can only use the data as stipulated by the controller. Processors must:
Ensure the controller has the right to pass data to a third party
Maintain appropriate technical and organizational measures to protect a user’s personal data
Process personal data as directed by the data controller
Maintain records of personal data and how it is processed
Assist the controller in responding to data subject requests
Is The MediaGrid a controller or processor under GDPR?¶
In the services we provide to our partners, The MediaGrid acts as a data processor under GDPR definitions. In this capacity, The MediaGrid only processes personal data received from media suppliers or buyers to facilitate RTB trading and connectivity between partners.
What personal data does The MediaGrid process for the purposes of GDPR?¶
The MediaGrid processes personal data available in the bid stream and cookie-matching requests. That includes user IP address, user agent, cookie or device ID, location.
What is the purpose for the personal data you process?¶
The MediaGrid needs to process personal data in order to facilitate RTB trading. The MediaGrid is a real-time infrastructure for SSPs and DSPs that connects various trading partners and makes SSP bid requests available to DSPs. As part of this process, we receive personal data from our partners.
Do you follow the IAB Transparency & Consent framework?¶
Yes. You can read more details here: IAB Transparency & Consent framework.
What Bid Request fields does The MediaGrid populate and how to support the IAB framework?¶
The MediaGrid will enable compliance as defined by the IAB through supporting the passing of GDPR eligibility and user consent via two extension fields. The following fields will be passed as extensions under the user section of a bid request:
regs.ext.gdpr: Indicates whether the request is subject to GDPR regulation for the user
user.ext.consent: Indicates user consent when GDPR regulations are in effect
user.ext.google_consent: A set of IDs corresponding to providers for whom the publisher has provided user consent using Google vendor list. A mapping of provider ID to provider name is posted at https://storage.googleapis.com/adx-rtb-dictionaries/providers.csv
The MediaGrid will not alter these fields as received by SSPs in any way. The field
regs.ext.gdpr will indicate whether the bid request is subject to GDPR regulation
for the user and the field
user.ext.consent will indicate user consent when GDPR
regulation is in effect. The possible values for each of these fields are:
regs.ext.gdpr: 0= No 1= Yes
user.ext.consent: 0 = No consent, 1= Consent given for all vendors, consent string as provided by the supply partner, e.g.
What consent is required for The MediaGrid?¶
If a publisher is pursuing the consent route and not legitimate interest, we expect The MediaGrid to be declared in consent dialogues along with other data processors (SSPs and DSPs) for the same data processing purposes.
Is The MediaGrid registering with the IAB to be included in their GDPR vendor list?¶
Yes, our application to join the IAB Vendor List was approved and our vendor ID is 128.
Will The MediaGrid send requests to DSPs where consent has not been given in the bid stream?¶
That specifically depends on how the legitimate interest model fits in and processed by buyers. At this time, The MediaGrid will still send such requests out and let buyers decide on eligibility. We are also considering anonymisation options.
Is The MediaGrid going to audit creative snippets returned by DSPs in bid responses?¶
Will The MediaGrid continue to trade with partners in both consent and legitimate interest?¶
How will The MediaGrid support the rights of data subjects under GDPR, including erasure, portability, access, information, rectification, etc?¶
Under GDPR, The MediaGrid is required to abide by all requests from data subjects, including supporting and fulfilling the actions listed above. We are also required to inform all other parties in the supply chain of that data subject’s request. Data subjects will be able to file such requests by emailing our privacy and compliance team at firstname.lastname@example.org.
Do we need to update our contract with you?¶
GDPR requires Data Processing Agreements (DPA) to be in place between all partners in the advertising supply chain where personal data is processed or stored. To satisfy that requirement, The MediaGrid will be distributing standard DPAs to all of our partners for whom no paperwork is yet in place in the next two weeks. We are equally happy to review and sign DPA’s provided to us by our partners.
Does The MediaGrid have a Data Protection Officer (or DPO)?¶
Yes. The MediaGrid’s DPO can be contacted at email@example.com.
Who can I contact for more information?¶
Please send any questions to firstname.lastname@example.org.