GDPR FAQs, The MediaGrid

Last Updated: Dec 17, 2018

  • GDPR Overview

    • What entity is covered by these FAQs?

    • Rights and obligations of Controllers and Processors under GDPR

    • Is The MediaGrid a controller or a processor under GDPR?

  • Data Processing

    • What personal data does The MediaGrid process for the purposes of GDPR?

    • What is the purpose for the personal data you process?

    • Do you share personal data you collect with other third parties?

    • Do you follow the IAB Transparency & Consent framework?

    • What Bid Request fields is The MediaGrid going to populate and how in order to support the IAB framework?

    • What consent is required for The MediaGrid?

  • Technical Details

    • Is The MediaGrid registering with IAB to be included in their GDPR vendor list?

    • Will The MediaGrid send a bid request to a DSP where user consent has not been given in the bid stream?

    • How will The MediaGrid handle user consent in regards to cookie-matching?

    • Is The MediaGrid going to audit creative snippets returned by DSPs in bid responses?

    • Will The MediaGrid continue to trade media with all partners - those on the consent route and on the legitimate interest?

    • How will The MediaGrid support the rights of data subjects under GDPR, including erasure, portability, access, information, rectification, etc?

  • Other Questions

    • Do we need to update our contract with you?

    • Does The MediaGrid have a Data Protection Officer (or DPO)?

    • Who can I contact for more information?

GDPR Overview

What is GDPR?

The General Data Protection Regulation, or GDPR, is the name of the EU’s new laws on data protection and security which becomes law across all EU member states on May 25, 2018. It is intended to strengthen and protect the personal data of data subjects and give those data subjects more control over their personal data. It does this by placing new obligations on all organizations that market, track, or handle personal data within one or more EU member states. The scope of the GDPR includes any personal data that leaves and/or enters any EU member state and therefore organizations located outside the EU involved in such data transfers will also need to comply with the GDPR.

What entity is covered by these FAQs?

These FAQs relate to The MediaGrid GmbH and cover the various services and products that process personal data as defined by GDPR on behalf of our customers and partners.

Rights and obligations of Controllers and Processors under GDPR

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, given that they have a legal basis to do so, while the processor is an entity that processes personal data on behalf of a controller.

Controller responsibilities according to GDPR:

  • Determine and communicate basis for collecting and processing personal data

  • Obtain informed consent from users, if determined necessary based on business uses

  • Inform data subjects as to how their personal data will be used and processed

  • Collect, process, and store personal data lawfully and securely

  • Ensure all partners, to whom personal data is passed, are also GDPR compliant

  • Act on any data subject requests regarding the use and processing of their personal data

Processors collect and handle data as it is passed down from a controller. Processors can only use the data as stipulated by the controller. Processors must:

  • Ensure the controller has the right to pass data to a third party

  • Maintain appropriate technical and organizational measures to protect a user’s personal data

  • Process personal data as directed by the data controller

  • Maintain records of personal data and how it is processed

  • Assist the controller in responding to data subject requests

Is The MediaGrid a controller or processor under GDPR?

In the services we provide to our partners, The MediaGrid acts as a data processor under GDPR definitions. In this capacity, The MediaGrid only processes personal data received from media suppliers or buyers to facilitate RTB trading and connectivity between partners.

Data Processing

What personal data does The MediaGrid process for the purposes of GDPR?

The MediaGrid processes personal data available in the bid stream and cookie-matching requests. That includes user IP address, user agent, cookie or device ID, location.

What is the purpose for the personal data you process?

The MediaGrid needs to process personal data in order to facilitate RTB trading. The MediaGrid is a real-time infrastructure for SSPs and DSPs that connects various trading partners and makes SSP bid requests available to DSPs. As part of this process, we receive personal data from our partners.

Do you share personal data you collect with other third parties?

No.

What Bid Request fields does The MediaGrid populate and how to support the IAB framework?

The MediaGrid will enable compliance as defined by the IAB through supporting the passing of GDPR eligibility and user consent via two extension fields. The following fields will be passed as extensions under the user section of a bid request:

  • regs.ext.gdpr: Indicates whether the request is subject to GDPR regulation for the user

  • user.ext.consent: Indicates user consent when GDPR regulations are in effect

  • user.ext.google_consent: A set of IDs corresponding to providers for whom the publisher has provided user consent using Google vendor list. A mapping of provider ID to provider name is posted at https://storage.googleapis.com/adx-rtb-dictionaries/providers.csv

The MediaGrid will not alter these fields as received by SSPs in any way. The field regs.ext.gdpr will indicate whether the bid request is subject to GDPR regulation for the user and the field user.ext.consent will indicate user consent when GDPR regulation is in effect. The possible values for each of these fields are:

  • regs.ext.gdpr: 0= No 1= Yes

  • user.ext.consent: 0 = No consent, 1= Consent given for all vendors, consent string as provided by the supply partner, e.g. BONuO3IONv1sjAOABCENARuAAAAHpAMAeQiQQoTBcFRlVABIIg

Technical Details

Is The MediaGrid registering with the IAB to be included in their GDPR vendor list?

Yes, our application to join the IAB Vendor List was approved and our vendor ID is 128.

Is The MediaGrid going to audit creative snippets returned by DSPs in bid responses?

No.

How will The MediaGrid support the rights of data subjects under GDPR, including erasure, portability, access, information, rectification, etc?

Under GDPR, The MediaGrid is required to abide by all requests from data subjects, including supporting and fulfilling the actions listed above. We are also required to inform all other parties in the supply chain of that data subject’s request. Data subjects will be able to file such requests by emailing our privacy and compliance team at privacy@iponweb.com.

Other Questions

Do we need to update our contract with you?

GDPR requires Data Processing Agreements (DPA) to be in place between all partners in the advertising supply chain where personal data is processed or stored. To satisfy that requirement, The MediaGrid will be distributing standard DPAs to all of our partners for whom no paperwork is yet in place in the next two weeks. We are equally happy to review and sign DPA’s provided to us by our partners.

Does The MediaGrid have a Data Protection Officer (or DPO)?

Yes. The MediaGrid’s DPO can be contacted at privacy@iponweb.com.

Who can I contact for more information?

Please send any questions to privacy@iponweb.com.