This Adverity Data Protection Guideline (the “ADPG”) forms an informative product specific document. It contains general information on data protection and can assist you with the data protection compliant use of the Adverity Platform. The ADPG does not form any sort of legal advice provided by Adverity GmbH. Please consult with your own legal counsel on your individual circumstances of data processing and specific legal questions you may have.
The GDPR requires that you conduct a risk analysis prior to deploying the Product. When doing this, please consider the topics addressed in this ADPG.
1. Processing of personal data
When you use the Adverity Platform to process data relating to identifiable natural persons (“personal data”) you are responsible for compliance with the provisions of data protection laws (esp. the EU General Data Protection Regulation – GDPR and national data protection legislation). The requirements of the GDPR may also apply to processing of personal data outside of the EU (see Art 3 GDPR) and may mandate to designate a representative in the EU in case you are not established within the EU.
The Adverity Platform features special personal data warnings (see point 8 below) to notify you when you are selecting connectors that may process personal data (e.g. CRM databases). Personal data may be processed when you use the Adverity Platform to load data from connectors or when using this data in your reports.
Anonymised data is not subject to the GDPR. Please note, that the process of anonymizing personal data (e.g. for anonymizing IP addresses) must also comply with the applicable data protection provisions and falls within the scope of this ADPG.
2. Special categories of personal data or criminal data
Please be aware that the Adverity Platform is not intended to process special categories of personal data (“sensitive data”) or personal data relating to criminal convictions and offences (“criminal data”). Sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. When processing such personal data stricter requirements and limitations apply (see Art 9 and 10 GDPR).
Please note that processing of sensitive and criminal data might be an issue for customers who are companies from the health industry sector, political parties, or entities of religious communities. Thus, you may consult with your legal counsel before processing such personal data.
3. Roles and responsibilities
When using the Adverity Platform for your own marketing purposes you will in general be the controller in the terms of the GDPR. As such, you have inter alia the responsibility to assess the lawfulness of all processing activities and adhere to certain documentation requirements (e.g. keeping a record of all processing activities).
Furthermore, you have to ensure that all data subjects are informed about your processing activities in a transparent manner (Art 13, 14 GDPR). This may include informing them about processing of personal data for marketing purposes where data was originally collected for other purposes (e.g. online shop customers).
When you are processing personal data as agency on behalf of your clients (i.e. their customer’s data) as part of your services, you will be the processor in terms of the GDPR. As processor you are obliged to enter into a data processing agreement with the controller (Art 28 GDPR) and ensure an adequate level of data security by implementing appropriate technical and organizational measures.
A combination of personal data is a particular form of processing that must be legitimate and transparent.
4. Legal grounds for processing
The processing of personal data is only permitted when it can be based on one of the legal grounds listed in Art 6 GDPR. For marketing purposes typically the data subject’s consent or the controller’s legitimate interest can serve as legal ground for the processing. For sensitive or criminal data other legal grounds apply (Art 9, 10 GDPR).
Please note that special requirements may apply to the processing of personal data in relation to children (e.g. Art 8 GDPR).
When acting as controller you are responsible to show a correct legitimate legal ground for each processing activity.
5. Requirements for a valid consent
For a valid consent data subjects must be transparently informed about inter alia (I) what data will be processed (II) by whom, (III) the purposes of the processing, and (IV) the right to withdraw their consent at any time with effect to the future. Consent may be required e.g. for marketing activities, cookies or newsletter registrations. If consent is not obtained in a valid form (e.g. initial consent does not cover marketing or analysis purposes) the processing activity may be unlawful and subject to sanctions.
6. Documentation requirements
The Adverity Platform enables you to collect and report data from various services. As such, the Adverity Platform only processes personal data already provided by other services used by you. It should be ensured that existing documents (e.g. privacy notices, records of processing activities, consent forms) are updated to include the purposes pursued within the Adverity Platform (i.e. marketing analysis).
7. Data Subject Rights
Data subjects have specific rights regarding their personal data like access, correction, deletion, objection etc (see Art 15 – 22 GDPR). As controller you are responsible to ensure that data subject request exercising these rights can be fulfilled in due time and in compliance with the applicable data protection provisions.
With respect to Art 22 GDPR, the Adverity Platform does not currently allow for automated individual decision-making processes within the Platform. Should the Adverity Platform enable such features in the future we will notify you accordingly.
8. Personal data warning and connected services
When you intend to configure data connectors that may process personal data, you will receive a notification outlining additional information regarding a data protection friendly use of these connectors and if consent of the data subject is likely to be necessary. In such cases additional features to anonymize or pseudonymize personal data are available and it is within the controller’s responsibility to apply them. More information on anonymization and pseudonymization features, such as using randomized IDs or hashes, can be obtained by contacting Adverity’s Support Team.
As a customer you are responsible to only use such services that are compliant with data protection laws. When connecting custom databases or third party services with generic APIs, special caution is necessary to only process such personal data that has been obtained lawfully and for the intended purpose.
The Adverity Platform gives you the tools to select privacy friendly settings and process personal data only on a need-to-know basis (see point 9 below). The connectivity page of the connected service contains links to the websites of the connected service. It is recommended to follow the privacy guidelines published there as well.
9. Technical and organizational measures for data security
The Adverity Platform assists you with the implementation of appropriate technical and organizational measures for data security (see Art 32 GDPR). You may use the following features to add to a data protection friendly use of the platform:
- access restrictions,
- usage logs,
- configuration of data retention schedules, and
- pseudonymisation or anonymization of data.
10. Access restrictions & user roles
In accordance with the principles of integrity and confidentiality access to personal data shall be restricted and secured to prevent unauthorized disclosure or use of personal data. Within the Adverity Platform appropriate user roles and access authorization should be set up to limit access to personal data to persons on a need-to-know basis (when sharing personal data with your employees as well as third parties).
Further, personal data may only be processed for the purpose they were originally collected for unless processing is necessary for compliance with a legal obligation or other legal grounds apply. Where data is processed for purposes other than they were originally collected for, a compatibility test according to Art 6 (4) GDPR must be conducted.
11. Usage logs
In order to maintain the security, confidentiality and functionality of the Adverity Platform, activities and interactions with the product and the contained data are recorded in a usage log. This usage log may contain personal data of users such as usernames, IP addresses, timestamps and actions taken. Additionally, cookies are placed when using the Adverity Platform (i.e. when used by your employees) for these purposes and the functionality of the browser session. The use of usage logs also requires a legal ground and legitimate purpose for processing (e.g. investigate unauthorized data accesses or data protection incidents). Also, you may have to inform your employees and customers of such processing activities.
Adverity does not have access to this usage logs unless you require our further assistance within the service contract and provide us with this information (such access may require further data protection measures).
12. Retention schedules
The Adverity Platform enables you to adjust data retention periods and set up regular deletion schedules. In accordance with data protection principles, storage of the data should be limited to the legitimate purposes. In this respect it may be helpful to use deletion schedules, defining the relevant timing for deletion, and to only retain anonymized summaries where possible.
Log files are generally kept for a period of ten days by default. System administrators may change this retention period in the logrotate configuration or store the files for the purpose of investigating irregularities or security incidents in our system. Audit logs are kept for a period of five years.
13. Pseudonymization and anonymization of data
Besides the deletion of data, pseudonymization and anonymization may add further to the minimization of personal data. We recommend reviewing the pseudonymization and anonymization options when configuring connectors featuring personal data.
14. Confidentiality and data secrecy
Independent of their role as controller or processor, employers must impose data secrecy obligations on their employees (Art. 28 (3) lit b), 29, 32 (4), GDPR; in Austria: § 6 Data Protection Act). Device management policies restricting data access or transfers as well as prohibitions on mobile data storages and mobile access can further reduce the risk of a breach of confidentiality. Employee trainings on data protection increasing the employees’ data protection awareness may form an integral part of a company’s internal compliance efforts.
15. Transfer of personal data
When you transfer personal data to another (group) entity acting as controller this also requires a legal ground as described above. Additionally such transfers to non-EEA countries which do not have an adequate level of data protection may require additional measures to ensure data protection compliance (e.g. conclusion of EU Standard Contractual Clauses).
16. Further Recommendation
We recommend you to encrypt data stored on the fileshare on a system level.