GDPR compliance is our top priority and we encourage you to read through the FAQs below. ChameleonAds.eu is the commercial trading name of Velor Advertising Group S.L. (www.ChameleonAds.eu). Velor Advertising Group S.L. will hereinafter be referred to as “ChameleonAds”. Data protection and ensuring overall clients’ trust is at the core of ChameleonAds’ business principles. Accordingly, GDPR compliance is our top priority and we encourage you to read through the FAQs below.
Q: What is GDPR and who does it affect?
The General Data Protection Regulation (GDPR), which applies as of May 25th of 2018, creates consistent data protection rules across Europe. It applies to companies that are based in the European Union (EU) and global companies that process personal data about individuals in the EU.
While many of the principles build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens individuals’ rights with respect to accessing and porting their data. It also establishes significant enforcement powers, allowing a company’s supervisory authority to seek fines of up to 4% of global annual revenue for certain violations.
Q: How does ChameleonAds prepare GDPR compliance?
As mentioned before Data protection is one of our core principles and we’ve thorougly prepared to meet GDPR requirements in the following way:
- Create a internal stakeholder group to assess our exposure. This group will consist of Tech, Advertiser and Sales and Management responsibles to have the full image.
- Create a Privacy Impact Assessment (PIA) to analyze our exposure to data.
- Based on the outcomes of the PIA w’ll revise our
- Documentation and procedures related to data
- Appoint responsible person for this topic called Data Protection Officer (DPO)
- Privacy Policies
- T&C for Advertisers
- T&C for Publishers.
- GDPR documentation.
- Afterwards we will communicate External adaptations to our partners
- Next is to make general documentation about our GDPR updates to put on our website
- Last is to provide a training to our teams so they are all aware of the implications.
Key legal bases
Under GDPR, there are a number of grounds to legitimise the processing of personal data. Below, we’ve outlined the most relevant legal bases under the GDPR.
Basis Requirements and product implications.
- Data processed must be necessary for the Service and defined in the contract with the individual
- Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
- People have a right to withdraw consent, which must be brought to their attention
- Must be from a person over the age of consent specified in that EU Member State, otherwise given by or authorised by a parent or guardian
- Explicit consent is required for some processing (e.g., special categories of personal data)
- A business or third party must have legitimate interests which are not overridden by individuals’ rights or interests.
- Data processing must be paused if an objection is raised by an individual
Q: What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, an email address, phone number, or a computer IP address.
Q:ChameleonAds’s role as a data controller and a data processor?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. ChameleonAds is both a data controller as a data processer. As a controller relies on its advertisers and publishers to get consent for ChameleonAds to process such data as ChameleonAds is not in direct contact with users.
- Data controller
- When analyzing anything present in HTTP(S) headers for quality control purposes and tracking. HTTP(S) headers is a standard web protocol sent by default between any browser request and any server on the Internet. HTTP(S) headers include IP addresses, User Agent, Operating System, Timestamp, Web browser, Carrier, Device Type, Device Brand, Device Model, Referrer and Requested page.
- When a publisher tracking pixel is implemented: When ChameleonAds sends to the Publisher the Session ID or Publishers Cookie
- Data Processer when receiving information via:
- The tracking pixel implemented on the advertiser site: When advertisers send us the Session ID or ChameleonAds Cookie
- Optional value for quality control: (i) When advertisers send us additional information related to quality and control like orderID, Amount, Currency, IP Address, Carrier, and (ii) When publishers send us additional information related to quality and control.
- Optional value for traffic optimization: When publishers send us additional information in the Sub-ID’s
Q: How long will we save the data in our system and when do we delete data?
Our 2 basic purposes of data collection are:
- Conversion tracking: Our cookies expire standard at thirty (30) days and we delete cookie data after that term as there is no further reason to track users.
- Quality and Control: Other user data is being kept for quality and control purposes and is only being deleted after a specific request.
Data is secured with Tune (HasOffers) cloud protection.
Q: Is this data being stored on European servers?
Where we act as a data processor on an advertiser’s behalf, we will be relying on our advertiser’s legal basis as data controller for our processing of such data. Specifically Advertisers should request Consent for Pixels and other Personal Data for quality control. ChameleonAds uses Pixels (as defined above) to provide its services. Advertiser shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Advertiser places ChameleonAds Pixels so that ChameleonAds can provide its services lawfully through such properties. Advertiser shall not fire any ChameleonAds Pixels unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.
Where we act as a data controller on an publisher’s behalf, we will be relying on our publisher’s legal basis as data controller for our controlling of such data. Specifically Publishers should request Consent for analysis of HTTP(S) headers. ChameleonAds uses information obtained from HTTP(S) headers (as defined above) to provide its services. Additionally (if applicable) Publishers should request Consent for analysis of Tracking pixels. Publishers might use information obtained from Tracking pixels (as defined above) to provide its services. Publishers shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Publishers places ChameleonAds Tracking Links so that ChameleonAds can provide its services lawfully through such properties. Publishers shall not implement any ChameleonAds Tracking Links unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.
Where we act as a data processor on an publisher’s behalf, we will be relying on our publisher’s legal basis as data controller for our processing of such data. Specifically Publishers should request Consent for sending any Personal Data as a Sub-ID in the Tracking link or via any other means. Publishers shall ensure that appropriate notice and consent mechanisms as may be required by Applicable Data Protection Law are displayed upon digital properties in which Publishers places ChameleonAds Tracking Links so that ChameleonAds can provide its services lawfully through such properties. Publishers shall not implement any ChameleonAds Tracking Links unless and until any necessary consents required under Applicable Data Protection Laws have been obtained.
Q: How does a consent work under GDPR?
The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Q: What do you have to do for GDPR?
To comply with the GDPR you must meet a number of requirements. These include but without limitation to:
- Only collect information that you need for a specific purpose.
- Seek consent to store the information you hold.
- Keep it secure.
- Allow the subject access to the information on request.
- Comply with a subject’s ‘right to be forgotten’ and erase personal data upon request.
Should you have further queries, please visit the EU GDPR website at: https://eugdpr.org/
Contact Us: If there are any questions regarding GDPR or any other matters, you may contact us using the information below:
Velor Advertising Group S.L. (trading name: “ChameleonAds”).
VAT number: B67573667.
Ronda del General Mitre 126, 08021 Barcelona, Spain.