In May 2018, the new European privacy legislation comes into force, the General Data Protection Regulation (abbrev.: GDPR, known in Dutch as AVG, Algemene Verordening Gegevensbescherming). In this article we have summed up the steps Daisycon has taken in this context.
We at Daisycon are convinced that people’s behaviour is the number one most important factor in data security. This is also one of the main principles of the GDPR. Daisycon personnel is well-informed about what is and is not permitted when it comes to data. There are rules and there is a separate policy regarding incoming data. In addition, there is a security and escalation protocol. Data policy is regularly brought to the attention of personnel and is included in the Daisycon employment terms and conditions. At senior management level a data officer has been hired who is responsible for abovementioned policy. Where applicable, we conclude separate processor agreements with our customers and suppliers.
Rights of parties concerned
Daisycon has protocols to deal with the Right to Access and the Right to be Forgotten. You can read them here:
At Daisycon we have analysed and documented what data is available in the organisation. This is recorded in a register of processing activities. The fact that we store as little sensitive data as possible is an extremely important step in our data security. This is known as privacy by design. For example, for our Affiliate Marketing service we save no personal details at all. Details are also combined so they can never be traced back to a person. IP-addresses are truncated (shortened) before they are stored and directly encrypted through an irreversible MD5-hash. This creates a unique parameter that we can use to trace the uniqueness of transactions, without this being traceable to an individual. We strongly advise advertisers against sending personal details with the transaction. This is always checked at the start of a campaign or when changing a conversion pixel.
Daisycon has an advanced rights system, so that only authorised personnel can access certain transaction data.
For our Lead Generation service, the campaigns are hosted at the advertiser and personal data is not stored by Daisycon. For several lead campaigns, Daisycon hosts the lead campaign for its customers. A processor agreement is concluded for the storage of these personal details. After delivery to the customer, this data is retained for as short a period as possible, taking into account legal regulations.
In addition to Daisycon storing as little data as possible, Daisycon strives for the best security of its systems. To that end, Daisycon works together with professional data security companies and Daisycon uses advanced detection software. Besides regular checks by its own technical department, Daisycon regularly carries out so-called penetration tests. Daisycon also has standard control processes for the go-live of new software. This ensures that only safe software is put into use between the penetration tests.
Daisycon's servers are managed by external hosting providers in separate locations within the Netherlands. These are ISO 9001 and ISO 27001 certified.
What should you, as advertiser, do?
We trust that this article gives you sufficient insight into the measures Daisycon has taken to comply with the GDPR. As we have indicated above, we enter into processor agreements with our advertisers where necessary. We do not store personal data for our Affiliate Marketing service. A processor agreement is therefore not mandatory. To be compliant for all data exchanges, our contracts with advertisers include a processor agreement by default. You can read the standard processor agreement here: https://www.daisycon.com/en/processor-agreement/. We also conclude a processor agreement by default for lead campaigns hosted by Daisycon.
In addition to the GDPR, the intention was that in May 2018 the ePrivacy Regulation would also take effect. At the beginning of December 2017, it was announced that the ePrivacy Regulation is unlikely to be introduced before 2019. The ePrivacy Regulation regulates the use of various marketing channels such as e-mail, cookies and telemarketing. The ePrivacy regulation must still pass the European Parliament and the Council of Ministers. Because there is still a great deal of uncertainty about this regulation, we cannot yet take a clear position on this. As soon as we have more information, we will communicate that.
Daisycon has put together a comprehensive FAQ for its advertisers. Read them here. All public information about data with Daisycon has been collected in the previously mentioned data policy: https://www.daisycon.com/en/privacy/
You can also ask our data officer, Rick de Vlieger, via firstname.lastname@example.org.