Widespace GDPR Documentation for Clients, Partners & Summit platform users
Services provided by Widespace
Through its platform Summit, Widespace acts as an intermediary service provider, providing a range of services to buyers and sellers in relation to their purchases and sales of advertising inventory. Widespace also enables the ability for clients to integrate and use their first-party data for targeting purposes.
Further, Widespace acts as an intermediary service provider to third party data providers, reselling their data within the Summit Data Marketplace.
In order to provide the Services, Widespace and the Summit Platform receives and uses different types of data, out of which some is “Personal Data” as defined in GDPR.
Widespace’s role in the online advertising ecosystem
End user data is often shared by several parties in the online advertising ecosystem, and it’s sometimes quite complex to understand who is the data controller and who is the data processor.
Widespace’s Summit advertising platform provides a tool for advertisers to purchase ad inventory and for publishers (websites or mobile application providers) to sell their ad inventory in the most efficient ways possible. Through Summit and through our IO ad sales, we work with various parties in the ecosystem, including parties in the following categories:
- Advertisers and Media Agencies
- Ad servers
- Demand-side platforms (DSPs)
- Sell-side platforms (SSPs)
- Data management platforms (DMPs)
- Data providers
- Verification providers
- Ad exchanges
Widespace and the other Party are separate and independent controllers with respect to personal data collected or received by us:
- When receiving an ad call to fill advertising inventory on a publisher’s web page or internet application.
- When receiving an ad call to bid on advertising inventory from an external supply source (SSP or other exchange), we are controller in common with the SSP or exchange.
- When receiving calls from our conversion tags, we are controller in common with an advertiser or publisher.
We have reached the conclusion that the Parties are independent data controllers in relation to these categories of data because we independently make decisions on how the data is used and, we believe that, pursuant to the text of the GDPR and the existing EU guidance, this makes us independent controllers of the data with respect to those purposes. For further guidance regarding Online Behavioural Advertising from the Article 29 Working Party under the European Commission, please click here.
Widespace is a data processor with respect to the personal data collected or received by us;
- In the form of segment data, when we receive batch uploads of user IDs associated with segments created by our clients and third-party partners that make their data (or other third parties’ data) available for our clients’ use on the Summit platform.
- In the form of contact information or log-in credentials of Summit account holders or other contact persons of our client and partners.
This is because the data is collected and the segments are created by third parties, and these segments are used by Widespace on the instruction of the third parties.
What kind of personal data is collected?
Data collection – End users
End users are defined as the individuals who get an advertisement delivered by the Widespace platform to an internet site or an application intended for use on a Mobile Device. The end user may or may not see, interact and click on the advertisement. End user can also be an individual who visits an internet site or an application on which Widespace has integrated a conversion tag.
The data collected and processed by Widespace may include information about browsers and devices of users, such as:
- The type of browser and its settings (eg. language settings)
- Information about the device’s operating system and type of device
- Information about other pseudonymous identifiers assigned with the device, such as Apple’s Identifier for Advertisers (IDFA) and Google’s Advertising ID for Android devices (AAID)
- The IP address from which the device accesses a client’s website or app
- Wifi BSSID, the MAC address of the wireless access point (WAP)
- In connection with receiving requests to show ads to a device or requests initiated by clients to track activity or place users into interest-based segments, information about the user’s activity on that device, including web pages and apps visited or used and the time those web pages and apps were visited or used
- Information about the geographic location of the device when it accesses an app
- Cell information from the cellular network (for Android app only)
- Type of connection (i.e. wifi or cellular)
The GDPR includes location data, IP address, cookie ID and advertising identifiers within the scope of personal data when combined with certain types of information. The type of data that Widespace collects from end users is referred to in the GDPR as “pseudonymized data”. Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately, a procedure that is encouraged by the GDPR.
The GDPR also includes “unique identifiers” within the scope of personal data when combined with certain types of information. This unique identifier is a sequence of numbers or numbers and letters used as a kind of label that indicates to systems that the data in question relates to the same device or browser. It is used to identify the data without the need to refer to a name, address, or other information that could be connected to a user in the real world.
Widespace assigns a unique identifier to every device or browser that passes through the Platform. While Widespace cannot identify which individual (or individuals) are using the device or browser in the real world, this unique identifier, combined with the other information we collect or our clients or other ad tech companies attribute to that unique identifier (e.g., cookie IDs, mobile device IDs, IP addresses, latitude and longitude coordinates), is now defined as “personal data”.
Note Widespace does not collect or process data that by itself identifies an individual, such as name, address, phone number, email address, or social security identifier. Further, Widespace never collects or processes sensitive data points such as religious beliefs, biometric data, sexual orientation or data concerning health.
Lawful basis for processing personal data under the GDPR
The GDPR requires lawful basis for the collection and processing of personal data. In the online advertising ecosystem, there is today a discussion as to whether “legitimate interest” should be considered legal basis for the processing of end user data. Some argue that “legitimate interest” is viable, since the processing of personal data is needed for example for the detection and prevention of fraud and invalid inventory, and to perform frequency capping.
In waiting for the GDPR to come into force and for precedents to be created around which lawful bases that will be deemed adequate for online and behavioural advertising, getting user consent is the preferred legal basis. Organisations must get affirmative consent of data subjects, an it must be freely given, specific and informed. For further guidance regarding Consent (including consent through electronic means) from the Article 29 Working Party under the European Commission, please click here.
The advertising industry alongside the IAB have joined forces to create a standardized framework that can be used throughout the ecosystem to collect and share information about user consent, see advertisingconsent.eu. Widespace is supporting the framework, and we strongly encourage our publishers and partners to follow our lead.
If you have questions around GDPR, please reach out to your local Widespace representative.