IAB SWEDEN DATA POLICY – DRAFT 0.9
(utkast till Datapolicy publicerad maj 2018 med anledning av GDPR. Policyn är fortfarande under bearbetning då alla parter inom IAB Sverige inte ställts sig bakom den)
Purpose and scope. This Data Policy sets out conditions for processing of Data in connection with the advertising campaigns run on a Publisher Service.
Other agreements. If a party has a written agreement with a Publisher that relates to the advertising campaigns run on a Publisher Service, this Data Policy forms an integrated part of such agreement. In the event of conflict with respect to terms specifically governing advertising campaigns run on a Publisher Service, this Data Policy prevails.
Advertiser. A company that advertises a product, service or another offering.
Applicable Law. Applicable laws and regulations, including but not limited to the Ecom Act and the GDPR.
Company. Advertiser and/or Media Agency.
Data. Any data collected from or processed on a Publisher Service when delivering or measuring ads, whether or not such information is personal data, including but not limited to user information (such as device ID, browser type, OS type, IP address and cookie file, information concerning the performance of an ad (such as number of impressions and number of clicks), and/or information stored on a user device using cookies or similar technologies.
Ecom Act. The Swedish law (2003:389) on electronic communication.
GDPR. The EU General Data Protection Regulation 2016/679.
Media Agency. A company that acts on behalf of advertisers with respect to the advertising campaigns it runs on a Publisher Service.
Permitted Purposes. Ad selection, delivery, reporting: The collection of information, and combination with previously collected information, to select and deliver advertisements for users, and to measure the delivery and effectiveness of such advertisements. This includes using previously collected information about users interests to select ads, processing data about what advertisements were shown, how often they were shown, when and where they were shown, and whether the user took any action related to the advertisement, including for example clicking an ad or making a purchase.
Personalisation. The collection and processing of information about users of a site to subsequently personalize advertising for them in other contexts, i.e. on sites or apps, over time. Typically, the content of the site or app is used to make inferences about user interests, which inform future selections.
Publisher. A publisher operating or owning as applicable a Publisher Service on which advertising campaigns are run, where “Publisher” shall also include any affiliates of such publisher.
Publisher Service. Any digital service owned or operated by a Publisher, where “operated” means third party digital services of which the Publisher is the seller of advertising inventory.
User. Any end-user of Publisher’s Services
Vendor. A company providing tools enabling or supporting the advertising campaigns run on a Publisher Service.
Terms for Advertisers
Responsibilities. The Advertiser is responsible for respecting this Data Policy and for ensuring that the Advertiser’s processing of the Data is compliant with Applicable Law (including ensuring legal basis for processing of Data and transparency in relation to the data subjects).
Purposes. The Advertiser shall process Data solely for the Permitted Purposes. For the avoidance of doubt, the Advertiser shall refrain from processing Data for any other purpose, including but not limited to Personalisation, or campaign targeting on services not controlled by Publisher.
Terms for Media Agencies
Notification. The Media Agency shall, in advance of delivering and measuring ads on behalf of an Advertiser, and in advance of using a Vendor, notify the Publisher of the identity of the Advertiser or Vendor. The Media Agency shall use reasonable endeavours to introduce the Publisher to each Advertiser or Vendor for the purpose of facilitating the conclusion of an agreement with it if the Publisher deem an agreement desired. As a minimum, the Media Agency shall ensure that the Data Policy has been disclosed to the Advertiser or Vendor.
Exclusion. The Media Agency acknowledges and agrees that the Publisher may in its sole discretion decide whether to disallow the display of ads on behalf of specific Advertisers and to exclude the use of specific Vendors.
Purposes. The Media Agency shall not use the Data other than for the Permitted Purposes. For the avoidance of doubt, the Media Agency shall refrain from processing Data for any other purpose, including but not limited to Personalisation or campaign targeting on services not controlled by Publisher.
Moreover, within the limits of confidentiality obligations, the Media Agency shall use reasonable endeavours to familiarize itself with relevant terms of agreements that the Publisher may have with Advertisers for which the Media Agency acts, and the Media Agency shall refrain from using Data in breach of such agreements.
Terms for Advertisers and Media Agencies
Publisher has the right to monitor that the Company is compliant with this Policy. The Company shall assist Publisher with documentation, access to premises, IT-systems and other assets needed to follow up the the Company’s compliance with this Policy. The Company may offer alternative solutions for monitoring, for example audit performed by an independent third party, which Publisher in its sole discretion may choose to accept. Publisher shall provide the Company with 30 (thirty) days’ notice to perform an audit.
Roles and responsibilities. It is acknowledged that each party is separately responsible for complying with its obligations under Applicable Law. In the context of this Data Policy, a Company does not act as processor on behalf of, or as joint controller with, a Publisher.
Cooperation. In the context of this Data Policy, either party shall provide to the other party such reasonable assistance, cooperation and information as the other party may reasonably require to satisfy obligations under Applicable Law, including with respect to data subject rights and transparency obligations.
Disclosure. The Company may disclose or give access to Data to a third party (such as its processors, customers, or measurement companies) only (i) if and to the extent such disclosure is required to fulfil the Permitted Purposes set out in this Data Policy, and (ii) provided the Company procures that the third party only processes Data as permitted in this Data Policy. A Company shall upon request disclose to the Publisher any and all relevant information regarding such third parties.
Personally identifiable data. No Company shall share with any other party any personal data that allows users to be directly identified (for example, by reference to their name or email address), knowingly pass to the other party any personal data of children as defined under Applicable Law, or share with the other party any special categories of personal data unless expressly agreed in writing and as permitted under Applicable Law.
Cookies. On a Publisher Service, the Publisher shall comply with the Ecom Act, including the cookie notice obligation.
Aggregated data. To the extent the Company is entitled under Applicable Law and applicable agreements to aggregate Data (such as average click-rate etc. for benchmarking purposes), the Company shall upon request provide such aggregated data to the Publisher. For the avoidance of doubt, such aggregated Data shall be fully anonymised meaning that the Data is no longer personal data (in the meaning of the GDPR).
Tools. A Company shall respect any conditions or restrictions that the Publisher may impose for the use of scripts or other tools on a Publisher Service. The Company acknowledges and agrees that such conditions or restrictions may affect the delivering or measuring of ads, however the Publisher will endeavour to limit such effects. The Company acknowledges that the Publisher may monitor the use of scripts or other tools used on a Publisher Service, including to monitor the adherence of this Data Policy.
Data security. A Company shall maintain appropriate technical and organisational security measures to protect the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. Notwithstanding the generality of the above, the Company shall limit access to the Data to personnel on a need-to-know basis and ensure that such personnel are subject to appropriate confidentiality obligations.
Data security breach. In the event of a security breach involving the Data, the Company shall without undue delay notify the Publisher, in order for the involved parties to respond to and address any data subject risks properly. The involved parties shall in good faith collaborate in relation to potential notification requirements to data protection authorities. Without the Publisher’s prior written approval, the Company is not entitled to mention or refer to the name or trademark of the Publisher in any breach notification to a supervisory authority or to the affected data subjects unless strictly necessary to comply with Applicable Law and always provided that the Publisher has been duly notified.
Data transfer. A Company shall not transfer personal data (in the meaning of the GDPR) to a third country or an international organisation unless the conditions laid down in Chapter V of the GDPR are complied with and the Publisher has received prior written notice about the transfer. For the avoidance of doubt, the Company is solely responsible for the lawfulness of such transfer.
Breach. A Company is liable to the Publisher and its affiliates for any costs, losses and expenses caused by its breach of this Data Policy. Any breach of this Data Policy constitutes a material breach of any other agreement relating to advertising campaigns run on a Publisher Service between the Publisher and the Company.
Exclusion. If the Publisher reasonably believes that a Company acts contrary to this Data Policy, the Publisher is entitled to temporarily stop a campaign and/or exclude the Company from running advertising campaigns on a Publisher Service. For the avoidance of doubt, such exclusion shall neither be deemed a violation of the Publisher of agreement relating to such advertising campaigns, nor shall such exclusions relieve the Company from fulfilling any other agreement that it may have with the Publisher.
[Changes. The Publisher may change this Data Policy from time to time. The change will be binding once published on the Publisher’s website or otherwise communicated to the Company, or – if the changes are material – 30 days following notice.]
Notices. When this Data Policy stipulates that a notice is to be sent in writing, it may also be sent by email.