In May 2018 the European privacy legislation entered into force; the General Data Protection Regulation (abbreviated as GDPR). In this article we have summed up the steps Daisycon has taken in this context.
We at Daisycon are convinced that people’s behaviour is the number one most important factor in data security. This is also one of the main principles of the GDPR. Daisycon personnel is well-informed about what is and is not permitted regarding data. The policy concerning the processing of data, specifically personal data, is well-known and understood by the personnel. In addition, there is a security and escalation protocol. Data policy is regularly brought to the attention of personnel and is included in the Daisycon employment terms and conditions. At senior management level a data-officer has been hired who is responsible for above-mentioned policy.
In order for all data processing between data controllers and data processors to be compliant with the GDPR, Daisycon has drafted standard processor agreements relating to Daisycon's services, between Daisycon, publisher and advertiser. Where applicable, we conclude separate or additional processor agreements with our clients and suppliers.
Rights of parties concerned
Daisycon has protocols to deal with the Right of Access and the Right to be Forgotten. You can read them here:
- As a data subject, I wish to make use of the Right of Access at Daisycon
- I wish to make use of the Right to be Forgotten at Daisycon.
Through our privacy policy we clarify to parties concerned, among other things, what data we store. You can read our privacy policy here.
Data security and personal data
At Daisycon we have analysed and documented what kind of data is processed in the organisation. This is recorded in a register of processing activities. The fact that we store as little sensitive data as possible is an extremely important step in our data security. This is known as privacy by design. For example, for our Affiliate Marketing service we save no personal details at all. Certain personal details, however, in combination with other data, can be traced back to a person. IP-addresses are truncated (shortened) before they are stored and directly encrypted through an irreversible MD5-hash. This creates a unique parameter that we can use to trace the uniqueness of transactions, without this being traceable to a person.
Cookies and matching data are used solely to assign transactions to publishers and not to create behavioural profiles.
The pseudonymised transaction ID of the advertiser can only be traced back by the advertiser to the person and is therefore a type of personal data. This transaction ID is only available to the advertiser and is linked to an anonymous Daisycon transaction ID; only this anonymous Daisycon transaction ID is shared with publisher for alignment purposes.
We strongly advise advertisers against sending personal details with the transaction. This is always checked at the start of a campaign or when changing a conversion pixel.
Daisycon has an advanced rights system, so that only authorised personnel can access certain transaction data.
Technical security
In addition to Daisycon storing as little data as possible, Daisycon strives for the best security of its systems. To that end, Daisycon works together with professional data security companies and Daisycon uses advanced detection software. Besides regular checks by its own technical department, Daisycon regularly carries out so-called penetration tests. Daisycon also has standard control processes for the implementation of new software. This ensures that only safe software is implemented between the penetration tests.
Daisycon's servers are managed by external hosting providers in separate locations within the Netherlands. These hosting providers are ISO 9001 and ISO 27001 certified.
What should you, as advertiser, do?
We trust that this article gives you sufficient insight into the measures Daisycon has taken to comply with the GDPR. As we have indicated above, we enter into processor agreements with our advertisers where necessary. We do not store personal data for our Affiliate Marketing service. A processor agreement is therefore not mandatory. To be compliant for all data exchanges, our contracts with advertisers include a processor agreement by default.
You can read the standard processor agreement here.
Inform your visitors about your use of Daisycon's services, you can use the following standard text.
We also conclude a processor agreement by default for lead campaigns hosted by Daisycon.
More information
Daisycon has compiled a comprehensive FAQ for its advertisers. Read them here. All public information about data with Daisycon has been collected in the previously mentioned privacy policy.
Do you have any more questions about our legal policies? If so, please send us an e-mail at: legal@daisycon.com.