The EU General Data Protection Regulation has enter in force on May 25th 2018. For a matter of transparency, you will find bellow the roadmap Kwanko followed to comply.

Record of processing operations

Kwanko gathered a group of stakeholders to audit all personal data processed for its activity.

The result of the work is a personal data mapping, with for each personal data, the following information :

  • Who? Who is the Data Controller and Data Processor?
  • Where? Where is stored the data?
  • Why? What is the purpose of the process?
  • What Legal basis? What is the legal basis for the processing?
  • When? Until when is stored the data?

As an example, the mapping went through the followings: cookie tracking, event tracking, our PartnerTag technology, our email de-duplication tool, all our lead generation products…

Each time, we have paid a specific care to Kwanko’s role and the legal basis of the processing.
This mapping allowed us to build our Record of processing operations.

Awareness and training

Kwanko built some training courses via its internal dedicated tool to grow the awareness of its team on the topic. The training courses will be extended in time.

In addition, we reviewed some internal procedures to make sure all personal data is processed with the required confidentiality.

Finally, we reviewed our internal regulation.

Relations with partners

Kwanko has updated its Publishers and Advertisers Terms & Conditions on the light of GDPR.

Kwanko designed a Data Protection Addendum (DPA) for our advertisers, in particular, to bring their attention on their Data Controller role.

Kwanko also has made publically available for its partners the following documents: Record of processing operations, Cookie Inventory, Security Policy, Privacy Policy, Email Marketing Terms & Conditions etc.
Kwanko nominated a DPO, you can reach him on: gdpr@kwanko.com

Implications within our business community

Kwanko has been active in its french professional syndicate (CPA) where we have been working closely with our peers. We have published the result of our work that you find here.

E-Privacy Regulation

Kwanko will be waiting for the final version of the ePrivacy regulation (especially for all which concerns web navigation data).

Kwanko ambitions to create a long-term relationship based on confidence with its clients. The new EU General Data Protection Regulation is an opportunity Kwanko has grasped to 1/ prove its total transparency towards its clients and 2/ proactively help its clients to accompany them if the new legal framework.

Overall, we should always keep in mind that GDPR’s goal is to bring a better experience and more confidence to users, who are your clients and who allow, you as much as us, to keep on doing our business. More confidence of the users in the digital advertising ecosystem will benefit all.

In the GDPR framework, Kwanko acts as a Data Processor, letting its clients be the Data Controller being able to decide freely on the means and purpose of the processing operations Kwanko executes on its behalf.

As of July 2018, the last update of this post, we do not pronounce ourselves on the impact of the upcoming e-Privacy directive. We are following advancement on the text but will be waiting for the final versions which may differ from an EU country to the other.

Summary

For CPM and CPC campaigns, GDPR doesn’t have any impact worth to notice as no Personally Identifiable Information (PII) is at stake. The e-Privacy directive and consent rules on cookies usage will have a much bigger impact on these type of campaigns.

For CPL campaigns, Kwanko’s role, as a Data Processor and in regard of the processing means and purpose set by the client, is to collect, store, transfer and/or track a lead for the client.

For emailing campaigns

  • Selection of emailers, owners of email databases
    • In France, Kwanko works solely with emailers that have signed and complied to the CPA charter. The CPA is the French professional syndicate for the performance marketing industry.
    • For our international emailers, we have collected Emailers commitment and declaration to comply with applicable laws in their respective countries via an auto-certification document.
      Our policy and recommendation on consent collection:

      • For commercial prospection towards individuals, the Emailer commits to collect the free, specific, informed and unequivocal consent of all individual, to be recorded in databases for purpose of receiving promotional and commercial emailing campaigns.
      • Any free, specific, informed and unequivocal consent of a person to receive commercial emailing campaigns on behalf of the Emailer or any other advertiser partner of the Emailer will thus be considered as a “prospection opt-in” or “partner opt-in”.
  • Best practices we check before shooting emailing campaigns:
    • The email must always state the emailer business name as well as, preferably, a contact address of the emailer.
    • Emails always need to include a response possibility, a “noreply@” or similar email address is therefore not allowed.
    • A user must always be able to unsubscribe from the emailing without any costs.
    • The email layout and design must not mislead on the commercial message nor on the identity of the advertiser promoting the message.
  • If the landing page (LP) is hosted by Kwanko
    When the LP is hosted by Kwanko, the only processings Kwanko operates are the collection, storage and transfer of the lead to the advertiser. The lead transfer to the advertiser is done by API or FTP server in a secured protocol.
    As Data Controller, the client will define the opt-in text that will be displayed on the LP to collect consent.
  • If the landing page is hosted by the client
    When the LP is hosted by the client, Kwanko’s role is merely to track collected leads brought by its affiliate network. Thus, the only processing Kwanko will operate, will be the collect and storage of a unique sale id (argann), for legal purpose.
  • Case of deduplication (email blacklist management)
    The purpose of a deduplication operation is to exclude current advertiser’s clients from marketing campaigns and/or to control marketing pressure by deduplicating inter-affiliates and advertiser email databases.
    To do so, the client transfers his blacklist (list of email to exclude of an upcoming email marketing campaign) to Kwanko via a secured SFTP server. Then, Kwanko the deduplication is done via Kwanko’s internal deduplication tool which allow the emailer to get back a ‘clean’ email list, without holding at anytime the advertiser blacklist.

In co-registration and emulation campaigns

Leads are collected by the publisher, for its ‘partners’. Consent collection is thus the publisher’s responsibility. Kwanko’s role, as Data Processor, is to organize the lead transfer to the client in a secure environment, either by API or by SFTP. In addition, Kwanko collects and stores the lead as a unique sale id for a legal purpose.

For click-lead campaigns

The following rule is compulsory to follow :

  • In a kit mail, the consent to participate to an operation must specifically be separated from the consent to agree to receive a newsletter (or promotional email from commercial partners), giving the user the choice between:
    • Choice n°1: participate in the operation and receive the newsletter (or commercial emails from partners) of the advertiser
    • Choice N°2: participate only in the operation
  • The zones in which each choice are stated and selected must be identifiable in a clear manner so no doubt exists on the link between the selection action and the choice to be selected.

For CPA campaigns, Kwanko’s role is to track events in order bring back together a sale and an ad displayed on Kwanko’s network. These tracking means can use PII as an email address or an IP address. In addition, Kwanko must store a unique sale id. This unique sale id can be a PII, for which Kwanko does not proceed to any other operation than the collect and the storage to respect its contractual, legal and fiscal obligations.

For retargeting campaigns, Kwanko uses its PartnerTag which allow its publisher network to access to the content of pages the user is visiting. Kwanko never has access to this data, so, a fortiori, neither collects or stores this data (data goes straight from the user browser to the publisher).
To assess the impact GDPR will have on the PartnerTag, we are waiting for the final version of the future ePrivacy directive (which may change from an EU country to the other), which will regulate cookie-based retargeting technologies by making the consent to such retargeting compulsory.

As part of our publisher’s network, we consider you first and foremost as a partner. This is why we think that together, GDPR can become more an opportunity rather than an obstacle.

First, lets not forget that GDPR’s goal is to offer a better experience and build more trust to our users, who, at the end of the day, allow you like us to grow our business. We believe that if users have more trust in publishers and advertisers, the regulation will have an overall positive impact.

By being relevant and transparent, we will be, together, on our way to compliance.

3 concrete examples:

  1. The GDPR requires lawful basis for processing. In other words, you need a legal reason to use a user’s data, like consent or legitimate interest. Making sure to have this lawful basis will allow to have more engaged users/visitors. All transparency efforts, in terms of easily accessible information, that you will bring to your users will lead to more trust, and we hope, more performance.
  2. The GDPR has specific rules about enabling your contacts to specify exactly what they want to receive from you. This makes total sense from a business perspective. Don’t send to users that don’t want to hear from you, and make sure the ones that do get to choose what they want. This will lead to fewer unsubscribes and better deliverability.
  3. The GDPR requires increased transparency around data collection and processing. In legal language, that’s the “right to access”, “portability”, and the “right to be forgotten” which mean your contacts can demand a copy of their data in a common format and/or ask for the deletion of all their personal data. Again, the link between transparency, trust, engagement of your users/visitors and performance is clear.
GDPR impact What it means What does Kwanko do about it
Definition of roles Publishers are Data Controller for all data collected and transferred to Kwanko or its advertisers. That means that publishers are responsible of the legal basis of the processing of all personal data, whatsoever its form (argsite, email, phone number…). Kwanko is the Data Processor, as a supplier of technical means. Kwanko has updated its Terms & Conditions and brings its help to publishers, for instance with this web page.
Consent Publishers, as Data Controllers, have the obligation to collect the consent of users for each given processing, and according to GDPR guidelines.

  • You need to tell the user clearly and in a unequivocal manner what he is opting in.
  • The user needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). Filling out a form alone cannot implicitly opt the user for all your company data process.
  • You must be able to prove the opt-in and offer an easy opt-out.
Kwanko has updated its Terms & Conditions and brings its help to publishers, for instance with this web page.
Minimization Together, the publisher and Kwanko, commit in collecting, storing and processing only the personal data necessary for the final purpose, as well as storing personal data only the time necessary for the given purpose. While mapping its personal data, Kwanko went through all of them to define the maximum storing time.
User Rights Together, the publisher and Kwanko commit themselves in offering the right “to access” and “to be forbidden” to all users who would make the demand. Also, we commit in facilitating the fulfillment of the demand. Kwanko is simplifying the process of demand for access, transfer, modification or deletion of a user personal data.
 Safety Together, the publisher and Kwanko commit in offering a secured environment for the collection, transmission and storage of all personal data they process.

Example : pseudonymization by an MD5 hash will support the security of a personal data (ex : email) transmission.

Kwanko has set up internal process to make sure all its team is aware of the confidentiality required by processing personal data.

Kwanko designed a Security Policy.

To have access to, modify, delete or transfer to personal information we may have on you, please do the request using the following form:

Top