Data Protection Framework
(adjust the above for other countries and their applicable Supervisory Authority)
SN&CK Media has completed applicable Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) for activities related to this website, and these are available upon request from the Company’s Data Protection Officer (see Section 9).
- Customer and Citizen Data
You may decide to send us your personal information via this website if you are seeking more information, requesting to attend one of our events, or for other similar purposes. Your decision to disclose your personal data is entirely voluntary, and by doing so, you are taking an affirmative action by providing us with specific consent to use your personal data only for the purposes for which you have disclosed it to us.
SN&CK Media may access and use your personal data only for the purposes for which you have submitted it to us to (a) provide information to you, (b) make contact with you, (c) provide services to you, or (d) maintain the operations and security of the website and services we provide to you. We will not use your personal information for any other purposes, for example for the communication of marketing materials, unless we have your specific consent that permits us to do so.
We will at all times handle and store your personal data in accordance with industry best practice aligned with ISO27001, the international standard for information security. This includes the activities and procedures undertaken by our own personnel and authorised third parties (see Section 5), and the technical controls which we have implemented to prevent unauthorised access, compromise or theft of information from our applications, supporting computer systems and premises.
- Sensitive Personal Data
GDPR specifies a set of personal data categories which are “sensitive”, and which require special consideration by Data Controllers. This website, and any services available from this website, do not knowingly collect or process any sensitive personal data, and supporting Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) are available upon request from the Company’s Data Protection Officer (see Section 9).
- Children’s Personal Data
This website, and any services available from this website, are not directed to children under the age of 13. If you learn that a child under the age of 13 has provided us with their personal information without having parental consent, please contact the Company’s Data Protection Officer (see Section 9) immediately so that we can take appropriate action.
- Customer and Citizen Data Rights
As prescribed within data protection regulations, you have specific rights connected to the provision of your personal data to SN&CK Media using this website. These include your rights to request we:
- confirm to you what personal data we may hold about you, if any, and for what purposes
- change the consent which you have provided to us in relation to your personal data
- correct any inaccurate or incomplete personal data which we may hold about you
- provide you with a complete copy of your personal data for you to move elsewhere
- stop the processing of your personal data, whilst an objection from you is being resolved
- permanently erase all your personal data promptly, and confirm to you that this has been done (there may be reasons why we may be unable to do this)
To contact SN&CK Media, please see Section 9 below.
If SN&CK Media does not address your request, or fails to provide you with a valid reason why we have been unable to do so, you have the right to contact the Information Commissioner’s Office to make a compliant. They can be contacted via their website (www.ico.org.uk) or by telephone 0303 123 1113.
- Declaration of Sub-Processing
To make an informed decision on whether to provide your personal data to SN&CK Media using this website, we need to make you aware of the following organisations who act as Data Processors for us in the provision of our services to you:
Google, (specifically Google Analytics and DoubleClick for Publishers) based in the United States with data centers in the locations listed here (https://www.google.com/about/datacenters/inside/locations/index.html), who collect pseudonymous personal data: IP address, device identifiers, cookie identifiers and geolocation information for the main purposes of providing statistical data (web analytics) and advertising services.
Google complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from European Union member countries and subject to enforcement by the Federal Trade Commission. Google, including Google Inc. and its wholly-owned US subsidiaries, has certified that it adheres to the relevant Privacy Shield Principles, including for Google Analytics.
Google is ISO 27001 certified with Certificate number: 2016-006 Certified by EY CertifyPoint since: April 29, 2016
Comscore UK Ltd, is based in the UK.
They process personal information to enable them to promote their goods and services, to maintain their accounts and records and to support and manage their staff.
Comscore is registered with the ICO. Their ICO registration number is ZA242774
Quantcast Internaional Limited, is based in the US.
Quantcast is not registered with the ICO.
Adspruce, is based in the UK.
Adspruce is registered with the ICO. Their ICO registration number is Z1260549
Adyoulike, is based in France and the USA
collect and process the personal data of users of the sites, on behalf of its customers, for purposes of advertising, statistical analysis as well as the detection
of computer BOTS and doubtful behaviour in an effort to limit the exposure of advertisements.
Nature of the data processed for campaign distribution and the type of persons concerned:
• Cookie ID (visitor)
• Geolocation data from the IP address (visitor)
• Name of Advertiser (advertiser)
• Ad Domain of the campaign (advertiser)
• Category IAB of the campaign (advertiser)
• Behavioural data: advertising interaction (visitor, advertiser)
• Visitor navigation context (visitor)
The IP is only used to derive a geographic context from the user for advertising targeting purposes.
Adyoulike is not registered with the ICO.
AppNexus, is headquartered in the USA, with a local office in London, England
Description of processing of information can be found here: https://wiki.appnexus.com/display/GDPR/Types+of+Personal+Data+Processed+by+AppNexus and reasons for processing information here: https://wiki.appnexus.com/display/GDPR/AppNexus%27s+Methods+for+Collecting+or+Receiving+Personal+Data
Appnexus is not registered with the ICO.
Browsi, is based in the US, where all data is processed
Browsi is not registered with the ICO.
Clicksco, is UK based and data storage is all in the EU.
The standard Carbon tag collects the following data, which is used for marketing, data aggregation, analytics and profile creation in order to deliver personalised advertising:-
– device / userAgent
Data is retained for the purpose of personalised advertising for up to 13 months from the date of the last user interaction. Aggregated or de-identified data is used for reporting and analysis, and may be retained for a further two years.
Where appropriate data is encrypted in Carbon.
PII data is encrypted at rest and within standard Carbon don’t collect email addresses.
Carbon will not deliver audiences generated from the combination of multiple signals that could be attributed to a specific individual (re-identification).
Clicksco is registered with the ICO. Their ICO registration number is ZA139095
Collective Europe Ltd, is based in the UK.
Consent has been required in the UK for the placing of tracking technologies on an end-user’s device since the Privacy and Electronic Communications Regulations were amended in 2011.
Collective is registered with the ICO. Their ICO registration number is ZA136897
Coull, is based in the UK.
They store data temporarily on their own secure servers, using it to geo-locate the user and match against fraudulent IPs, for the purpose of serving advertising on videos/ IP addresses are used for blocklisting bad actors and for geo locating the user (at the country level).
Coull is registered with the ICO. Their ICO registration number is Z1610134.
Criteo, has Data Storage and Processing based outside the UK. They store pseudonymous data on EU consumers within the European data center. They do not transfer collected customer raw data outside Europe. If the data is collected in the US or in APAC, the data will be transferred to Europe.
Criteo only collects and processes pseudonymous data that is considered non-personally-identifiable. Pseudonymous data is sub-category of personal data that offers more confidentiality as it does not allow a way to directly identify individuals. Criteo does not collect/process personal data, only pseudonymous data which includes:
Hashed email addresses
Mobile Advertising IDs
Any other technical identifiers that allow Criteo to single out individual behaviour without directly identifying the individuals.
The lifetime of Criteo’s cookies is 13 months (except the opt-out cookie: 5 years).
Criteo is not registered with the ICO.
Densou, is based in Denmark, all data is stored within DFP/Google
Densou is not registered with the ICO.
FreeWheel, a Comcast Company, is based in the UK.
FreeWheel processes personal data either on their publisher client’s behalf or on a DSPs behalf in order for the consented users to have advertising ads rendered against them as an impression.
Comcast International Holdings UK Limited is registered with the ICO. Their ICO registration number is ZA323574.
GumGum, has both a UK entity and a US entity and data is processed and stored outside of the UK.
As a Processor as defined by the GDPR, GumGum’s purpose (to provide services) and legal basis (performance of contract) for processing any data is in connection with our duties under the written agreement and at the specific direct of the Data Controller.
GumGum participate in behavior-based advertising. This means that a third party may use technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests. That advertising may appear either on our websites, or on other websites (e.g., social media platforms, search engines, etc.). They also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal information but is not considered personal information in law as this information does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.
GumGum is registered with the ICO. Their ICO registration number is ZA244724
Index Exchange, currently stores data on data servers in any of the following Index Exchange data centers: Toronto (ON-CAN), Secaucus (NJ-USA), Ashburn (VA-USA), Sunnyvale (CA-USA), Los Angeles (CA-USA) Amsterdam (NH-NL), Frankfurt (DE), or Hong Kong (CH).However, Index Exchange is continuing to invest their ensure our operations are fully compliant with GDPR (notably, Articles 44 through 49) prior to the regulation’s date of implementation (20180525).
Index Exchange is registered with the ICO. Their ICO registration number is ZA325358.
Justpremium, has official country registration is EU (Headoffice is located in The Netherlands). Part of their data is processed within the US.
Justpremium focuses on storing the least personal information as possible without impacting normal business procedures. These normal business procedures include:
• Fraud detection
Currently there are two types of personal data collected:
• A unique user id generated by Justpremium
• The user’s ip address when requesting a Justpremium tag
Other data that could potentially show the behavior of users are browser width and height, url of the website that’s visited, the browser name and version, any interaction that’s registered on the creative and the timestamps of the event.
The cookie lifetime of the unique user id is currently 30 days and refreshed upon each new visit. The average actual lifetime of an advertising user id cookie (for the whole industry) is around 7 days, due to users deleting their cookies, not visiting sites where they are set from each day or using anonymous browser sessions. The number of returning user id’s measured by Justpremium is less than 10%
Reports that are shared internally and/or with clients only contain aggregated data. Justpremium will never disclose IP addresses or user id’s to its clients.
Justpremium is not registered with the ICO.
LoopMe, is based in the UK.
LoopMe stores personal data from ad requests. This includes Device ID and IP address, which may fall under GDPR legislation.
LoopMe is not registered with the ICO.
Nativo, has offices in USA and UK. All of their data is hosted with Amazon Web Services sites in USA and Ireland.
See: www.nativo.com/interest-based-ads for information on processing data
Nativo is not registered with the ICO.
Oath (UK) Limited, is based in the UK.
Oath is registered with the ICO. Their ICO registration number is Z5298132.
Onscroll Limited, has data centers located within the U.S. and EEA. When a ad tag fires requesting an advertisement to be served, the request is directed to the nearest data center location. Therefore most of the time, requests initiated from users in the EEA are handled by our servers located in the EEA.
Sovrn collect data depending on which product is being used will depend. If one is using any product under Sovrn services then data will be captured and stored for 6 months only if consent is given. All products which fall under OnScroll will only be analysing user browser behaviour to ensure an ad is 51% in view and engage. This falls under legitimate interest and is not considered PII.
Onscroll Limited is registered with the ICO. Their ICO registration number is ZA340963.
OpenX, is based in the UK.
OpenX is not registered with the ICO.
Playground XYZ, has a UK office and UK Ltd company. Their head office is in Australia. However their AWS servers are located in United Kingdom, Ireland, Singapore and the United States of America.
They process data for the purposes of delivering advertising campaigns for our customers.
They record IP address in order to assist in the protection of systems from malicious activities, including denial of service attacks and brute force attempts to access their systems. They store IP addresses for this purpose for 90 days in order to detect and analyse previous attacks on their systems.
- Playground XYZ is not registered with the ICO.
Publica, is based in the USA
The only PII collected by Publica are the IP Addresses of the users visiting websites using the Publica solution. Once collected, the data is cross-referenced with MaxMind’s Geolite2 Country local database to resolve the data subject’s country, and then it is deleted by Publica without any storage backup. IP addresses are never written to any form of persistent storage.
This processing is used provide country level-targeting options to Publica customers.
Publica is not registered with the ICO.
Pubmatic, has office locations in London, Hamburg, Munich, Stockholm, Amsterdam and Milan in EMEA; NY and CA in NAM; Pune, Mumbai, Singapore, Tokyo, Sydney in APAC.
Data storage and processing is done in the following locations –
· Amsterdam for EMEA
PubMatic currently uses Equinix and Digital Reality for colocation services. Equinix and Digital Realty maintains various industry recognized certifications including ISO27001 certification. Copies of ISO certifications are available upon request.
To the extent passed by a publisher, we collect the following data –
– Browser User agent header data (e.g., carrier, browser version language, etc.);
– Geo location data (i.e., IP address; location information (Lat/Long, GPS));
– Mobile Advertising Identifier (Apple IDFA, Google Android Ad ID, etc.);
– Permanent device identifier (UDID, IMEI);
– User ID;
– HTTP cookies;
– Custom and predefined key value pairs (i.e. can be used for any value passing such as age, gender, audience data, etc.)
PubMatic is registered with the ICO. Their ICO registration number is ZA019572
RevContent, is based in the USA.
They collect certain information from users to the sites to enable the services to function as intended (device type, browser, Ads Clicked, Widgets viewed, generalized location via IP Address, etc.). The data is collected and processed under the lawful basis of legitimate interest: that of permitting the services to function as intended and to personalize the content in line with user interests to the extent possible. The Company has performed the appropriate Legitimate Interest Assessments and balancing tests to reach this conclusion. The data is attributed by cookie to anonymized users. IN other words, RC has information associated with an unidentifiable user, and cannot use the data to identify the specific individual to which it belongs. All Data is stored in accordance with a comprehensive Data Security Policy which already reflects industry best practices and incorporates the data security principles consistent with ISO27001 and other trade organizations, but is currently under review to update if necessary in accordance with GDPR requirements (incident response plan, breach notification requirements, etc.)
RevContent is not registered with the ICO.
Rubicon Project is registered with the Information Commissioner’s Office for the UK Data Protection Act with registration number ZA118130. While Rubicon Project is not ISO 27001 certified, The Rubicon Project Ltd’s information security management program is modelled after 27001 practices.
Seedtag, is based in Spain.
Seedtag is not registered with the ICO.
Sharethrough, is headquartered in the U.S. with a subsidiary that operates in the U.K. Their data is processed by our Frankfurt-based AWS instance at the direction of our U.S. systems policies.
Sharethrough is not registered with the ICO.
Stanza, is based in the US.
Stanza is not registered with the ICO.
SublimeSkinz, is based in the UK
In general, Sublime Skinz believes reliance on consent as a legal base will entice a more transparent relationship with users. More specifically, for targeting and analytics, Sublime Skinz will rely on consent; for conversion tracking, measurement, antifraud, brand safety. Sublime Skinz will rely on legitimate interest.
Through their advertising tag, they collect data from exposed web users, ie. each time a webuser is consulting a site from their network, if their tag is loaded in the page, they can collect various data from this user. They use the information they collect from web users in order to provide their advertising services, to improve their service and for fraud detection.
Below are the specific purposes for which they use the information we collect about web users:
For analytics purposes: They use collected data in order to propose anonymized counters. For example, they calculate the number of impressions per country or city, or the number of impressions per type of browser.
To personalize the experience: They use IP address to estimate geolocations and to propose targeted content. For example, for local stores campaigns, they may be asked to target people in the same city or region of this store in order to increase conversion.
For research and development: They are always looking for ways to make their services smarter, faster, secure, integrated and more useful. They use data to identify trends, usage, activity patterns and areas for integration and improvement of the Services. For example, they use browser size to check if their ad formats can be displayed evenly on their network and to improve their creative templates to be sure every element will be viewable on screens. They also analyse the correlation between clicks and frequency per user so they can avoid ad blindness.
For safety and security: They use information about web users to monitor suspicious or fraudulent activity and to identify violations of Service policies. For example, IP Address, UUID, xf and use ragent are used to detect invalid traffic such as bots or scripts.
To protect their legitimate business interests and legal rights: When required by law or where they believe it is necessary to protect their legal rights, interests and the interests of others, they use information about web users in connection with legal claims, compliance, regulatory, audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
With consent: They use information about web users when consent is given to do so for a specific purpose not listed above.
Sublime Skinz is not registered with the ICO.
Teads, stores operational data (used to deliver our services) regionally in AWS:
EU – In Ireland
Teads collects information provided by third-parties. To do this and link up data across advertising platforms and devices, Teads uses ID Syncing to associate Teads IDs with identifiers and data from third party business partners, other advertising platform and/or data providers.
What data do they collect?
Events related to user’s activity on their partner’s websites/apps (such as the number of pages viewed,
the products viewed on that website, searches made on the partner’s website, referring/exit pages) ;
Information related to the user device (eg. device type, operating system).
Technical user identifier such as technical IDs of our advertising partners, and Mobile advertising IDs (such as Apple IDFA or GAID).
Non-precise information related to geography and derived from the IP address of connection1 (in order to serve ads only for products and services available in the user country, region or city) ;
Precise geolocation information through the mobile application settings the users have chosen
Events related to the Teads ad serving such as the number of ads displayed, date/time stamp, and /or the user’s interactions with the ad (eg. action, duration, clickstream).
Third party data providers provide segment interest (eg.socio-demo segment, lifestyle etc…) ;
We do have access to the IP address however, we do not store full IP address for targeting purposes.
The full IP addresses may only be used by Teads for the following purposes:
Fraud detection purposes to help alert us to situations which could not have been caused
by human behavior, such as a massive amount of clicking in a limited period of time;
To be sent to the advertising partner (such as ad exchanges, demand side platforms) buy
and/or sell ad placements.
How do they use the data?
Analytics: We use collected data for monitoring and reporting the effectiveness of the campaign
delivery to our business partner and for internal business analysis.
Re/Targeting: We use data to filter the ad delivery according to the context (page content, website
name,etc) and the user profile (socio-demographic, geolocation, interest, behavior, etc). This is based on data we do collect directly or from a third party. Teads analyses the products viewed, the search made by the visitor and/or pages visited and may link them with third party data information. This targeting may also be done by the DSP partners. In this case, Teads sends those information in the bid request.
User frequency Capping: We use data to cap the frequency and volume of the same ad delivered to the same user.
Ad Delivery: They transmit collected data for ad delivering and campaign tracking to our business
partners. This does not provide the granularity at the user level.
Delivery Algorithm training: We use data which is anonymized, so as not to be identifiable to a
specific source, and aggregated, so as not to be identifiable to any individual transaction in order to improve our service and technology.
Confidential Data transmitted to 3rd-party: To operate our services, Teads uses partners for analytics, targeting, brand safety, fraud detection, viewability measurement, campaign delivery tracking or others partners that may help them to deliver and measure the quality of our service.
Cross device experience: To provide a consolidated experience through the different devices or
browser environments, they may link the Teads identifiers on the different browsers and environments the user is using.
Cross advertising platform experience: This enables the display across multiple publishing platforms and advertising service providers as well as the advertising partner to use their data on their audience across different advertising platform.
Teads is not registered with the ICO.
Telaria Inc, is based in the US.
Processing activities include, without limitation, placing and synchronizing cookies, including for actual or future bids, channeling and passing information from Seller to other parties, such as Buyers and platforms, hosting and retaining data, advertisements and other information, accessing data provided by third parties integrated with the Services, providing analysis and reporting, and providing other customer support services.
Telaria is not registered with the ICO.
Undertone, is based in the US.
They do not collect, process or store any personal data as defined by the GDPR. Any EU campaigns will be run through AppNexus which utilizes the IAB protocol for consent via the Global Registry List.
Undertone is not registered with the ICO.
Unruly Group Limited, is based in UK (London) Some servers are in the UK. Data is stored by AWS & Steadfast. They have AWS servers located in US (Oregon, US; West Virginia, US) Australia, Singapore, Ireland, Chicago, US is a Steadfast server.
Unruly stores Video data (Impression, View, Complete, Clickthrough, …) and they collect the following: Geolocation, Time of interaction, Type of interaction, Unique User Identification, IP address, User Agent (Browser and version/Device), Page URL, Audience segments and error messages.
Unruly collect / process the data for the purpose of Personalised Online Content Delivery; Online Content Delivery Analytics; Fraud Prevention
Their ICO number is registration number is Z2795263
Vibrant Media, is based in the UK (London).
They collect cookie data to assist in serving relevant ads and IP address to prevent fraudulent clicks and events
Their ICO number is registration number is Z526181X.
VisualDNA, is based in the UK.
NMC/VisualDNA enables the compilation of highly accurate audience demographics/audience segments for a wide range of online advertising. These audience demographics/segments are valuable for advertisers and content publishers in establishing advertising rates (“currency”), as well as identifying suitable audiences for advertisers. To demonstrate legitimate interest, the value of NMC/VisualDNA data processing is weighed against the potential privacy impacts the activity could have on the data subjects who are counted among our aggregated audience statistics. We believe these potential impacts are low:
No direct identifiers are collected by the process; only IDFA/AID, cookie IDs and IP address
They require clients and publishers to provide clear notice about the collection and use of end user data, including for interest based advertising, and to enable user to opt-in or opt-out (as required by applicable law) to such use of data
Nielsen is a member of NAI, DAA, eDAA and adheres to those organizations’ codes of conduct and principles.
Nielsen maintains privacy notices which enable individuals to opt out of the collection and use of data.
Their ICO Registration number is Z3154850
- Information on the IAB Europe Transparency & Consent Framework Global Vendor List can be found here: http://advertisingconsent.eu/transparency-consent-framework-global-vendor-list/
The activities within which each of these Data Processors participates have been recorded within the applicable SN&CK Media Privacy Impact Assessment records (also known as Data Protection Impact Assessments under GDPR) and these are available upon request from the Company’s Data Protection Officer (see Section 9).
- Website Cookies
Cookies are small text files sent by us to your computer, and from your computer or mobile device to us each time you visit our website. They are unique to you or your web browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser session. Persistent cookies last until you or your browser delete them, or until they expire.
- External Links
This SN&CK Media website may include relevant hyperlinks to external websites not controlled by us. Whilst all reasonable care has been exercised in selecting and providing any such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be subsequently provided to you. You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences from your use of them.
- Contacting SN&CK Media
SN&CK Media Ltd
Rosebery House Business Centre,
70 Rosebery Avenue,