Document Purpose: This document answers commonly asked questions about Ozone and our data processing policies.
Last updated: June 15, 2019
Ozone GDPR FAQ
What kind of data is processed by the Ozone platform?
In line with the definition of Personal Data laid out in Article 4 of the GDPR, the data that the Ozone platform processes is Personal Data. That Personal Data comprises digital identifiers, and information that can be linked to those identifiers, that fall into the following categories:
Unique device identifier
Operating system and version
Mobile network information
User Event Information
Type of browser and operating system used
URLs clicked on
the page(s) visited before navigating to the Publisher and Advertiser websites
Derived from the IP address
What kind of processing takes place in the Ozone platform?
The processing undertaken by the platform is as follows:
Facilitating the bid process
Matching and combining data, and gaining audience insights
Associating a user with one or more advertising segments of the market
How is data captured by Ozone?
Any Advertiser or Publisher working with Ozone is required to run the Ozone pixel (tag), on their site. This allows the Ozone cookie to capture and store the Personal Data that Ozone requires to manage advertising activity.
As well as GDPR, the dropping of those cookies falls within the current ePrivacy directive, the Privacy and Electronic Communication Regulation, and the forthcoming ePrivacy Regulation.
To stay compliant, Ozone performs due diligence that any Advertiser or Publisher dropping its cookies does so in line with the requirements of these laws.
From a GDPR perspective, Ozone is a Data Controller for the Personal Data captured by the cookies. In line with the latest guidance on the use of Personal Data for advertising purposes, Ozone relies on the user’s consent to process the data captured by the cookies.
All of the Publishers with which Ozone works adhere to the IAB’s Transparency and Consent Framework. The Publishers capture Consent on behalf of Ozone via their Cookie notices and Consent Management Platforms.
A data subject can manage their Consent options directly via the Publishers’ cookie mechanisms. In addition, the data subject can withdraw their Consent by opting out of cookies directly with Ozone via a link in Ozone’s Platform Privacy Notice.
Ozone also places cookies on Advertiser sites. Advertisers need to capture GDPR standard cookie Consent on behalf of Ozone via their Cookie notices.
Ozone being named as a 3rd party dropping cookies on the Advertiser’s site
As Ozone is a Controller of the data captured by the cookie, consent needs to be captured for Ozone specifically
A link to Ozone’s Platform Privacy Notice
The ability for a user to withdraw their Consent for the Ozone cookie and use the Advertiser’s site without the Ozone cookie being dropped
The Advertiser’s own Cookie and Privacy Notices should not suggest that Personal Data is not being captured by Cookies, as under the definition of GDPR, the data being stored by the Ozone cookie constitutes Personal Data.
Transparency is one of the key principles of GDPR. To fulfil its obligations under Articles 12-14, the Ozone Platform Privacy Notice is accessible on Ozone’s own site, and via the Publishers’ sites where the users data is captured. The Privacy Notice has been written in language that is easy to understand to ensure that the data subject’s Right to be Informed is met.
Data Subject’s Rights
Ozone has processes in place to meet the rights of the individual as set out in Articles 15-22 of the GDPR. Those processes include verifying the identification of the data subject, as well as verifying the validity of any request.
Processes also exist to ensure that the Processors used by Ozone can also fulfil any rights requests received.
In line with Article 28 (3), Ozone has developed a template Data Processing Agreement (DPA) for use with the Data Processors we engage. Each Data Processor is assessed for its GDPR compliance, and processes are in place to ensure their ongoing compliance and adherence to the DPA.
Ozone has completed a full Data Protection Impact Assessment for all of the processing being undertaken within the platform. This has been reviewed by the DPO, and any potential risks mitigated against through implementation of new business process and/or technical design solutions.
To ensure that the principle of Data Protection by Design and Default was met, the legislative requirements of the GDPR were translated into technical requirements. These were then taken into account when the platform was designed and built.
Ozone has a full roadmap of developments, and these requirements will be referenced as each enhancement to the platform is addressed. Releases of enhancements will only take place once the GDPR requirements are met.
Every Ozone employee is well versed in their data protection obligations, and the GDPR as it relates to the Ozone platform. As part of the new starter induction process, all employees receive mandatory data protection training.
Data Protection Team
In line with Article 37 of the GDPR, Ozone has appointed an experienced Data Protection Officer. Ozone’s position in the advertising industry, sitting across Publishers, means that it is uniquely placed to participate in conversations with various industry bodies such as the IAB, EPC and EDAA.