General Data Protection Regulation (GDPR) Policy at AppNexus

What is the GDPR?

The European Union (the EU) has adopted the General Data Protection Regulation, or GDPR, to replace the EU Data Protection Directive (Directive 95/46/EC).  Its adoption was intended to harmonize data protection laws through the EU.

The GDPR goes into effect 28 May 2018 and, in addition to the existing ePrivacy Directive (and the proposed ePrivacy Regulation which would replace the ePrivacy Directive), and it will change the way companies interact with individuals located in the EU, including the way companies access, acquire, use, share, store, and provide individuals access to their personal data. 

AppNexus and the GDPR

AppNexus has always believed that responsible and transparent collection and use of data combined with choice mechanisms that give end users control over their personal data are of the utmost importance and an issue that everyone in the online advertising ecosystem must take very seriously. 

Data Protection, Security and the AppNexus Platform

AppNexus is committed to protecting personal, private, confidential, and sensitive data and the systems used to process, store, or transport such data. This is includes, but is not limited to, customer data, employee data, and company, vendor, and partner proprietary data. Please see the following for an outline of the measures employed by AppNexus towards that commitment:

https://wiki.appnexus.com/display/policies/Data+Protection+and+Security+on+the+AppNexus+Platform

 International Data Transfers

Just as the Data Protection Directive has requirements on international data transfer mechanisms, so does the GDPR. To address current EU data protection laws and meet the requirements of the transfer of data from the EU, AppNexus is certified under Privacy Shield and, where necessary, has also adopted model contract clauses.  Although challenging given the flow of data in the advertising technology ecosystem, AppNexus is also undertaking measures to expand its European data center architecture to ensure that the personal originating in Europe that AppNexus accesses remains in the EU.

Data Processing

As you prepare for the GDPR, if you need additional information about how our Services work, the data we collect and how data flows and is handled through the AppNexus Platform, please reach out to our Privacy Team through your Account Manager or Sales Representative. 

Notice and Transparency

In close partnership with our customers and partners, we are building tools to meet GDPR’s enhanced transparency, access, and choice requirements, in addition to the current ePrivacy Directive’s consent requirement as it has been implemented by different European countries, and taking into account the proposed ePrivacy Regulation which would replace the Directive.

ePrivacy

AppNexus is closely following the proposed revised ePrivacy Regulation as it makes its way through the European Parliament. That includes actively participating in the review process through our membership in IAB EU and local IAB chapters and regularly meeting with and discussing issues and proposed solutions with our clients and thinking through possible scenarios depending on the outcome of the proposed revised Regulation. Where consent is necessary under the ePrivacy Directive today, we contractually require our clients to comply with the Directive.

What else?

Our Clients and Vendors: We are continuing to review the partners with whom we work either directly or through our customer relationships. For partners we trust, we will impose enhanced requirements governing access to and the use of data on and off our technology stack. This includes updates to our contracts and data processing agreements.  We will no longer work with partners that cannot or will not comply with our requirements.

Our Platform: We are constantly working to make operational changes across our platform to further minimize our use of personal data and build additional tools to allow our clients to control and restrict which partners have access to the data of their end users.

European Regulatory Guidance: We are continuing to monitor guidance from the Article 29 Working Party and the Data Protection Authorities across the EU.