Data Processing Addendum (‘DPA’)
1 PURPOSE
This Data Processing Addendum forms part of the Master Services Agreement or Sales Order entered into by and between Customer and ChannelSight (‘Agreement’). The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Personal Data in the course of the provision of ChannelSight services (‘Services’) in accordance with the requirements of Data Protection Laws.
2 DEFINITIONS
Authorised User: those employees, agents and independent contractors of the Customer or of a Customer affiliate who are authorised by the Customer to use the Services.
ChannelSight: ChannelSight as defined in the Agreement.
ChannelSight Personnel: employees, agents and independent contractors of ChannelSight.Consumer: consumers of the Customer’s digital media.
Controller: the person who, either alone or with others, determines the purpose and means of the processing of Personal Data.
Data Protection Laws: any data protection laws applicable to processing of Personal Data contemplated by this agreement including, without limitation, in particular the European Union General Data Protection Regulation (‘GDPR’) or the European Union Directive on Privacy and Electronic Communications (‘E-Privacy Directive’) and any related decisions or guidelines and all privacy, security, and data protection laws, rules, and regulations of any applicable jurisdiction including any jurisdiction in which ChannelSight services (the ‘Services’) are being provided or the Personal Data is being processed and any jurisdiction from which ChannelSight or any subprocessor provides any of the or Services or from which Customer provides Customer’s products or services.
Data Subject: an identified or identifiable natural person about whom the Personal Data relates.
EEA: the European Economic Area.
Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal Data Breach: means any breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;
Processing and process: has the meaning given to that term in the GDPR.
Processor: a natural or legal person which processes Personal Data on behalf of the Controller.
SCC Agreement: the standard contractual sections for the transfer of personal data from the European Union to Processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as may be updated from time to time
3 CONTROLLER AND PROCESSOR
3.1 The Customer is the Controller of all Personal Data of Consumers that is processed by ChannelSight as part of the Services. ChannelSight acts as a Processor of this Personal Data and Authorised User log-in details to the portal.
3.2 ChannelSight acts as Controller of ancillary Personal Data relating to the provision of the Services, for example, billing information and support correspondence between Customer and ChannelSight. This may contain some information about Authorised Users. By agreeing to these terms, Customer confirms it is aware of ChannelSight’s role as a controller.
3.3 Through the Customer’s use of the Services, the Customer will collect information about Consumers. This may include Personal Data. For some Channelsight Services there are minimum categories of data that must be collected for the Services to operate. If a Customer chooses to use the Service, these data categories are processed. There are also additional categories that Customers may opt to also collect.
3.4 The Controller shall ensure that it is entitled to permit ChannelSight to process the relevant Personal Data and that ChannelSight is entitled to transfer relevant Personal Data to its subprocessors so that ChannelSight may lawfully use, process and transfer the Personal Data in accordance with the Agreement on the Controller’s behalf.
3.5 The Controller shall, in its use of the Services, process Personal Data in accordance with the requirements of Data Protection Laws. The Data Controller shall ensure that the relevant third parties, Authorised Users and Consumers have been informed of, and where necessary, have given their consent to, such use, processing, and transfer contemplated under this Agreement and as required by all Data Protection Laws and the Data Controller must provide appropriate and sufficiently prominent notice to, and obtain the appropriate consent from Authorised Users and Consumers regarding the collection, use and disclosure of such Authorised Users’ and Consumers’ Personal Data, including, at a minimum, through the Data Controller’s privacy policies and cookie notices and those of its advertising partners. Customer’s instructions for the processing of Personal Data shall comply with Data Protection Laws.
3.6 The Controller is entirely responsible for ensuring that the data uploaded to the ChannelSight Services is adequate, relevant and not excessive and that the lawful basis of the processing and transparency requirements have been complied with.
4 DETAILS OF THE PROCESSING CONTEMPLATED UNDER THIS DPA
4.1 The details of the processing contemplated under this DPA are described in Schedule 1.
4.2 ChannelSight or Customer may provide notice of change to the description of the Personal Data to be processed where an update is required due to changes to the Services or changes required due to applicable Data Protection Laws, including their interpretation. ChannelSight may provide notice to Customer of change to the DPA. Such updates will apply 30 days from the date of the notice.
5 PROCESSING OF PERSONAL DATA.
ChannelSight’s obligations as Processor
5.1 As the Processor with respect to Personal Data, ChannelSight acknowledges and agrees that:
5.1.1 ChannelSight must, and shall procure that its subprocessors shall, process Personal Data only for the purposes of fulfilling its obligations under the Agreement and in accordance with relevant documented instructions from Customer (unless required to do so by a Union or member state law to which ChannelSight is subject; in such a case ChannelSight shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest). Customer agrees to provide ChannelSight with documented instructions relating to Personal Data under the Agreement.
5.1.2 ChannelSight agrees to make reasonable efforts to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to ChannelSight.
5.1.3 ChannelSight will not disclose any Personal Data to a third party, except at Customer’s specific request or where obliged to do so under any statutory or other legal requirement (in which case ChannelSight will use reasonable endeavours to advise Customer in advance of such disclosure and in any event immediately thereafter); and
5.1.4 ChannelSight or its sub-processors will only transfer Personal Data outside the European Economic Area (“EEA”) under the terms of section “Transfers of Personal Data Outside the EEA” (below). ChannelSight does not transfer personal data outside the EEA, except on Customer request.
Customer’s obligations as controller
5.2 In addition to Customer’s other responsibilities set out elsewhere in the Agreement, Customer acknowledges and agrees that:
5.2.1 Customer has and will continue to abide by an appropriate privacy notice relating to the collection and use of Personal Data.
5.2.2 Customer shall comply with:
a) all Data Protection Laws in connection with the processing of Personal Data and in the exercise and performance of Customer’s respective rights and obligations under this Agreement; and
b) the terms of this Data Processing Addendum and the Agreement.
5.2.3 Customer states that:
a) all data sourced by Customer for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
b) all instructions given by it to ChannelSight shall at all times be in accordance with Data Protection Laws.
5.2.4 Customer shall not withhold, delay or condition Customer’s agreement to any change to this Agreement requested by ChannelSight in order to ensure ChannelSight (and each subprocessor) can comply with Data Protection Laws.
6 SECURITY MEASURES
6.1 Each party agrees to take appropriate, and industry-standard, technical and organizational measures against unauthorized or unlawful access or processing of Personal Data in connection with this Data Processing Addendum and the Agreement or its accidental loss, destruction or damage. ChannelSight agrees to apply the ChannelSight InfoSec Policy (available on request), which may be updated from time to time.
6.2 ChannelSight shall, and shall procure that its subprocessors shall, take all reasonable steps to ensure that Personal Data processed in connection with this Data Processing Addendum and the Agreement is processed in compliance with the obligations under Article 32 of the GDPR relating to security of processing.
7 PERSONAL DATA BREACH NOTIFICATIONS
7.1 ChannelSight will promptly notify Customer of any known or reasonably suspected breach of security leading to a Personal Data Breach.
7.2 In respect of any Personal Data Breach, ChannelSight shall:
7.2.1 notify the Customer of the Personal Data Breach without undue delay (but in no event later than 72 hours after becoming aware of the Personal Data Breach); and
7.2.2 provide the Customer without undue delay (wherever possible, no later than 72 hours after becoming aware of the Personal Data Breach) with such details as the Customer reasonably requires regarding:
a) the nature of the Personal Data Breach (including, the categories and approximate numbers of data subjects and Personal Data records concerned); and
b) any investigations into such Personal Data Breach;
c) the likely consequences of the Personal Data Breach; and
d) any measures taken, or that ChannelSight recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,
provided that, (without prejudice to the above obligations) if ChannelSight cannot provide all these details within the timeframes set out in this section 7.2, it shall (before the end of such timeframes) provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.
7.3 If a Personal Data Breach occurs ChannelSight shall:
7.3.1 take such steps and do all acts and things as the Customer requires in order to mitigate the effects of the Personal Data Breach; and
7.3.2 restore to the last available backup any Customer Data that has been lost, damaged or destroyed by the Personal Data Breach.
8 AUDITS
ChannelSight will make available to Customer all information necessary to demonstrate compliance with the data processing obligations laid down in this DPA including by allowing for and contributing to reasonable audits to determine ChannelSight’s compliance with its obligations under this DPA. These audits (of frequency of no more than once per year, except where there is reason to suspect a breach of the obligations may have occurred) may be conducted by Customer, auditors mandated by Customer, or public authorities in competent jurisdictions, subject to Customer and Customer’s auditors (if relevant) undertaking reasonable and appropriate confidentiality obligations.
9 CONFIDENTIALITY
ChannelSight shall, and shall procure that its subprocessors shall, ensure that any persons to whom ChannelSight discloses Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.
10 TRANSFER OF PERSONAL DATA TO THIRD PARTY PROVIDERS.
Subprocessors appointed by ChannelSight:
10.1 ChannelSight uses third party providers to provide certain services, including hosting. A list of these third party providers is available on the ChannelSight portal and may be provided for Customer review, on request, prior to entering into this DPA (“Subprocessor Details”).
10.2 These subprocessors will have access to certain data, including relevant Personal Data, however such subprocessors are only permitted to process Personal Data for the purposes of providing their specifically contracted services to ChannelSight.
10.3 ChannelSight will use commercially reasonable efforts to ensure that such subprocessors utilize reasonable industry recognized security measures to protect against loss, misuse and unauthorized viewing of the information Customer provides to ChannelSight.
Third Party Providers Appointed by Customer:
10.4 Customer may elect to purchase or subscribe to third party services that may integrate with the Services (‘Third Party Solutions’).
10.5 Where Customer chooses to integrate with a Third Party Solution, this may entail providing ChannelSight with access to Personal Data held by such Third Party Solution, and may require the providers of such Third Party Solution to have access to Personal Data. Customer must notify ChannelSight and put in place a written contract between Customer and ChannelSight as required under Article 28 GDPR relating to any extra categories of Personal Data that ChannelSight will process on behalf of Customer due to such integration. Customer shall not send any Personal Data to ChannelSight unnecessarily.
10.6 With regard to Third Party Solution, Customer acknowledges and agrees that:
10.6.1 ChannelSight has no contractual relationship with such third parties, and no responsibility for Personal Data once such a transfer commences, nor for the duration such third party holds the relevant data. ChannelSight does not audit the adequacy or otherwise confirm the security or organizational measures employed by such third parties, which is Customer’s sole responsibility.
10.6.2 Customer is responsible for ensuring that Customer’s and ChannelSight’s use of the Services and integration with a Third Party Solution complies with any service terms of the applicable Third Party Solution. ChannelSight is not required to maintain Personal Data collected in breach of any relevant data protection or other applicable laws.
10.6.3 Customer is responsible for obtaining consent from Authorised Users and Consumers for the use and deployment of all Third Party Solutions or data or technology subject to the E-Privacy Directive.
10.6.4 In the instance of paid campaigns, ChannelSight technically cannot obtain consent from the consumer prior to the interaction with the terminal equipment of the consumer. This is, in most cases, the responsibility of the publisher of the ad. Brands should ensure that the advertising network they are using ensures that the publisher must obtain all required consent for cookies and tracking related to the advertisement.
10.7 ChannelSight makes no representations as to the appropriateness or legality of Customer’s choice to permit such third parties to have access to its Personal Data, and Customer is responsible for ensuring that it has all requisite consents and has provided any required notices to data subjects with respect to this processing of their data. ChannelSight is not responsible for the processing of Personal Data by Third Party Solutions.
10.8 CHANNELSIGHT HEREBY DISCLAIMS ALL RESPONSIBILITY FOR THE ACTIONS OF SUCH THIRD PARTIES OR FOR LOSS, DAMAGES, OR CLAIMS ARISING AS A RESULT OF DEPLOYING INTEGRATION CODE OR SCRIPTS FACILITATING TRANSFERS OF PERSONAL DATA OR MAKING A TRANSFER OF PERSONAL DATA ON CUSTOMER’S BEHALF. CHANNELSIGHT MAKES NO REPRESENTATIONS OR WARRANTIES AS TO THE SUITABILITY OF SUCH THIRD PARTY SOLUTIONS FOR RECEIPT OF PERSONAL DATA NOR OF THE SUITABILITY OF THE THIRD PARTY SOLUTIONS TO PROCESS PERSONAL DATA.
11 PROCESSING OF PERSONAL DATA BY SUBPROCESSORS OF SUPPLIER
11.1 ChannelSight may only authorise a subprocessor to process Personal Data provided that ChannelSight has entered into a written agreement with such subprocessor on terms which are substantially the same as those set out in this DPA. Where a subprocessor fails to fulfil its data protection obligations, ChannelSight shall remain liable to Customer for the performance of the data protection obligations of the relevant subprocessor.
11.2 Customer provide a general authorisation to ChannelSight to engage the subprocessors as are appointed on the date this DPA comes into force.
11.3 ChannelSight will with thirty (30) days’ notice inform Customer of any intended change in the subprocessors that will process Personal Data under this agreement and Customer shall be entitled to make any objections thereto. If no objections have been received within ten (10) days, the proposed subprocessor shall be deemed accepted. If Customer does not agree to the subprocessor, the parties shall attempt to settle the disagreement and if the parties cannot agree on the use of a subprocessor, ChannelSight may terminate this agreement by providing written notice, such termination to take effect on the later of (i) the date on which ChannelSight will commence using the services of the relevant subprocessor in relation to the Services provided to Customer or (ii) one (1) month after the date of Customer’s written notice.
12 TRANSFERS OF END USER PERSONAL DATA OUTSIDE THE EEA:
12.1 Personal Data may be transferred or stored outside the country where the Customer is located in order to carry out the Services and our other obligations under the Agreement.
12.2 ChannelSight will only transfer Personal Data outside the EEA on Customer’s specific request. Examples of why Customer may make such a request are transfers of such data to Customer or Customer’s affiliates, where Customer or Customer’s affiliate is based outside the EEA; a transfer to a third party outside of the EEA for further processing of the data; a specific request by Customer that ChannelSight uses a Third Party Solution or where Customer opts to integrate with a Third Party Solution outside of the EEA.
12.3 Where Customer opts to send Personal Data to Third Party Solutions via integration, plug-in or otherwise, Customer agrees that providers of Third Party Solutions are not subprocessors of ChannelSight for data protection purposes and such providers are Customer’s directly-contracted Processors acting under Customer’s instructions.
12.4 In making a request for ChannelSight to transfer Personal Data, subject to GDPR and related privacy regulations outside of the EEA, Customer confirms that there is “an adequate level of protection” in place for such transfer as such term in understood under GDPR.
12.5 Customer will indemnify and hold harmless ChannelSight, its subsidiaries and affiliates (and their respective employees, directors, officers, shareholders, attorneys, agents and representatives) from and against any and all claims, costs, losses, damages, judgments, penalties, interest and expenses (including reasonable attorneys’ fees and costs) from any claim, action, audit, investigation, regulatory action, inquiry or other proceeding that arises out of or relates to use of data by Third Party Solutions, or other transferees, or Customer’s failure to comply with any applicable laws and regulations in connection with the transfer of the Personal Data outside the EEA including any applicable data protection legislation or that arises out of or relates to any subsequent use of the Personal Data by the relevant transferee. This indemnification obligation set forth herein shall survive the termination of the Agreement.
12.6 ChannelSight agrees to enter into a SCC Agreement with Customer where reasonably required to ensure an “adequate level of protection” is in place for the transfer of such Personal Data outside the EEA, subject to ChannelSight’s approval of any updated text that may be issued.
12.7 The parties agree to cooperate where, due to changes in law or practice, an alternate data transfer mechanism is required to be put into operation to ensure an “adequate level of protection” is in place for transfer of data outside the EEA under GDPR.
12.8 In the event that the United Kingdom is not deemed to provide an “adequate level of protection” for the protection of personal data as such term is understood under the GDPR and the transition period for transfers of personal data between EU and UK has expired, the SCC Agreement (or, by agreement of the parties, any subsequent applicable data transfer mechanism agreed between the UK and EU) shall apply to any transfers of personal data to or from the United Kingdom during the term of the Agreement, subject to ChannelSight’s approval of any updated text that may be issued.
13 SUBJECT ACCESS REQUESTS
13.1 ChannelSight will promptly assist Customer with all notices, requests or other enquiries relating to the data protection rights which may be received by Customer or ChannelSight, at Customer’s reasonable expense.
13.2 ChannelSight will not respond to any subject access request without the Customer’s prior written approval unless required to do so by law or direction of a relevant regulator.
14 RETURN OR DELETION OF PERSONAL DATA
Immediately on termination or expiry of this Agreement, or otherwise on Customer’s request, ChannelSight must and shall procure that its subprocessors shall:
14.1 return all Personal Data to Customer; or
14.2 delete all the Personal Data, in a manner agreed to by Customer;
at Customer’s election, unless a law binding on ChannelSight or its subprocessors prevents it from doing as requested or unless otherwise agreed in the Agreement (for example, where the Customer has requested ChannelSight continue to store Personal Data in order to ensure compliance with a legal obligation
15 OBLIGATIONS INDEPENDENT OF OTHER PROVISIONS
The obligations contained in this DPA are without prejudice to ChannelSight’s other obligations under this Agreement and apply notwithstanding any permitted use or disclosure of confidential information in this Agreement.
16 COSTS
16.1 Subject to sections 2 and 16.3, the costs of ChannelSight and its subprocessors to comply with their respective obligations as Processors under Data Protection Laws applicable in a specific jurisdiction shall be borne by ChannelSight and its subprocessors to the extent compliance with such obligations is necessary for ChannelSight and/or its subprocessors’ compliance with applicable Data Protection Laws in their role as Processors in the jurisdiction in question.
16.2 Notwithstanding section 1, if Customer request ChannelSight to take on compliance activities which go beyond the activities that ChannelSight is required to do as a Processor under applicable Data Protection Laws, ChannelSight shall be entitled to its reasonable costs and the above shall be notified to ChannelSight and agreed pursuant to a further Order Form.
16.3 Should changes to applicable Data Protection Laws, including the interpretation thereof, entail increased costs for ChannelSight or its subprocessors, ChannelSight may, subject to providing written notice Customer, increase the rates charged to Customer to reflect the increased costs. The increase to Customer should be fair and reasonable and should be proportional to what other similar customers are being asked to pay.
17 WARRANTY and SUPPLIER LIABILITY
17.1 By using the Product to process Personal Data, Customer states, that Customer’s collection and processing of Personal Data does not breach the rights of any person or entity, including rights of publicity, privacy or under applicable Data Protection Laws, that Customer is entitled to transfer the relevant Personal Data to ChannelSight, and that ChannelSight is entitled to transfer Personal Data to its subprocessors and all Third Party Solutions so that they each respectively may lawfully use, process and transfer such Personal Data in accordance with this DPA and the Agreement.
17.2 The liability of ChannelSight relating to Personal Data processed in connection with the Product and/or Services is limited to direct losses related to:
17.3 any breach by ChannelSight of any of its Personal Data obligations under this DPA; or
17.3.1 ChannelSight (or any person acting on its behalf) acting outside or contrary to the lawful processing Instructions of the Customer in respect of the processing of Personal Data.
17.3.2 Any claims brought under or in connection with this DPA shall be subject to the Agreement, including but not limited to, the exclusions and limitations of liability set forth in the Agreement.
18 INTERPRETATION
18.1 The parties agree that this DPA shall replace any existing data protection terms the parties may have previously entered into in connection with the Services relating to Personal Data.
18.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
Schedule 1 Details of the Processing
The subject matter of the processing is: ‘Where To Buy’ functionality for brands for online retail and the processing involves mapping a Customer’s products from customer touchpoint to sale.
The duration of the processing is: the duration of the Agreement plus 30 days for Customer to elect return/deletion of the Personal Data
The nature and purpose of the processing is: to facilitate accurate routing of purchase leads to online retailers and to provide feedback to brands.
The type of Personal Data is:
For Authorised Users: Username, password, phone number, login details, log-in logs, support requests, email address.
For Consumers: Transaction tracking data including:
Number 1.1
Service Where To Buy
Data subject Consumer
Data Point Impression IP Address
Optional No
Data controller Brand
Use case Consumer interacts with a WTB widget on a brand website/asset and we record those events with the IP address as telemetry data.
Processing IP address stored & sometimes used to aggregate events for reporting e.g. impressions per market.
Number 1.2
Data subject Consumer
Data Point Click IP Address
No
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website/asset and as a web facing service we capture their IP address.
Processing IP address stored, sometimes used to aggregate the clicks for reporting e.g. clicks per market.
Number 1.3
Data subject Consumer
Data Point Click Analytics GUID
Optional Yes
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website/asset and the brand-site appends the analytics user id from the consumer’s browser to the request.
Processing Userid stored so that the click and possibly subsequent sales can be shared back with the brand with that user context.
Number 1.4
Data subject Consumer
Data Point Click ID
Optional No
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website/asset and is-redirected to a retailer (possibly via an affiliate), we pass a ClickID in the URL. The retailer or affiliate may drop a cookie with this ClickID or record it in another manner.
Processing ClickID stored so that the clicks and sales can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
Number 1.5
Data subject Consumer
Data Point Click Product
Optional No
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website/asset and we record the product clicked on.
Processing Product ID stored so that the click and possibly subsequent sales can be shared back with the brand with that product context.
Number 1.6
Data subject Consumer
Data Point Product Sales from Clicks
Optional Yes
Data controller Retailer
Use case Consumer purchases a product on a retailer site after we have directed them to the site. The retailer then shares this sales detail with us along with the originating ClickID.
Processing Product sales detail stored so that the clicks and sales can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
Number 1.7
Data subject Consumer
Data Point Location
Optional Yes
Data controller Brand
Use case Consumer interacts with a WTB “maps” widget on a brand website/asset and we acquire their location by manual entry, GEO IP look-up or browser location services.
Processing We use this location to serve the consumer location specific/proximity based purchase options. We store this location for aggregated performance reporting/analytics (anonymous).
Number 1.8
Data subject Consumer
Data Point User interactions
Optional Yes
Data controller Brand
Use case Consumer interacts with a WTB widget on a brand website/asset and we acquire certain UI interactions with the widget. Processing We use this anonymous telemetry data for aggregated performance reporting/analytics (anonymous).
Number 2.1
Service Paid Campaign Where To Buy
Data subject Consumer
Data Point Impression IP Address
Optional No
Data controller Brand
Use case Consumer interacts with a WTB widget in a paid campaign context and we record those events with the IP address as telemetry data.
Processing IP address stored & sometimes used to aggregate events for reporting e.g. impressions per market.
Number 2.2
Data subject Consumer
Data Point Click IP Address
Optional No
Data controller Brand
Use case Consumer clicks on a WTB link in a paid campaign context and as a web facing service we capture their IP address.
Processing IP address stored, sometimes used to aggregate the clicks for reporting e.g. clicks per market.
Number 2.3
Data subject Consumer
Data Point Click Analytics GUID
Optional Yes
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website and the brand-site appends the analytics user id from the consumer’s browser to the request.
Processing Userid stored so that the click and possibly subsequent sales can be shared back with the brand with that user context.
Number 2.4
Data subject Consumer
Data Point Click ID
Optional No
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website and is-redirected to a retailer (possibly via an affiliate), we pass a ClickID in the URL. The retailer or affiliate may drop a cookie with this ClickID or record it in another manner.
Processing ClickID stored so that the clicks and sales can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
Number 2.5
Data subject Consumer
Data Point Click Product
Optional No
Data controller Brand
Use case Consumer clicks on a WTB link on a brand website/asset and we record the product clicked on.
Processing Product ID stored so that the click and possibly subsequent sales can be shared back with the brand with that product context.
Number 2.6
Data subject Consumer
Data subject Product Sales from Clicks
Optional Yes
Data controller Retailer
Use case Consumer purchases a product on a retailer site after we have directed them to the site. The retailer then shares this sales detail with us along with the originating ClickID.
Processing Product sales detail stored so that the clicks and sales can be linked (anonymously) for aggregated performance reporting or click-to-sale data export.
Number 3.1
Service All Services
Data subject Authorised Users
Optional Name, eMail
Data controller Brand
Use case For general service and portal use we need to store a set of users names and email addresses to control access and provide support.
The categories of data subjects are: Authorised Users and Consumers