GDPR Data Policy
Ad Network Solutions B.V., is a company incorporated under Dutch law, having its registered address situated at Keizersgracht 203 4, 1016 DS Amsterdam, the Netherlands and bearing company number 88337367 (hereinafter the “Company”). The Company is an online marketing network that liaises between affiliates and advertisers to achieve maximum sales results for all parties through strong relationships and the power of technology.
|Data Controller||the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.|
|Data Processor||the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;|
|Data Subject||refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity|
|Data Subject||means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller;|
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council Directive 95/46/EC (General Data Protection Regulation).|
|Personal Data Breach||is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.|
|Personal Identifiable Information (“PII” or “Personal Data”)||means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
|Processing||any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
As per the GDPR, the Company complies with the 7 principles involving Personal Data as per article 5 of the GDPR:
Personal Data shall be:
The Company has developed guidelines for its employees and all its staff to ensure that its data processing and securing measures follow GDPR obligations. In addition, ongoing corporate training and awareness programmes for all the employees and staff who are involved with the processing of Personal Data is being given.
Any data access requests that any employee and/or staff receives, should be forwarded immediately to their immediate manager.
Data Subjects have the following rights via the GDPR:
|Right||Timeframe for completing the requested action|
|Right to Information||Information about Personal Data collected is displayed instantaneously when creating an account.|
|Right of Access||Information about all Personal Data collected can be obtained within 1 month from the date that the request is submitted.|
|Right to rectification||All inaccurate Personal Data will be corrected within 1 month from receiving the request.|
|Right to be forgotten (or right to erasure)||Unless required by Union or Member State law, all Personal Data will be erased within a maximum of 2 business days.|
|The Right to restrict processing||Without undue delay|
|The Right to Object||The Company will no longer process the Personal Data as soon as it obtains the objection.|
|Right to withdraw consent||Without undue delay|
|Right to object to automated processing||Without undue delay|
|Right to Data Portability||One month from the date that the request is submitted|
A Data Subject Access Request (“DSAR”) can be made by a Data Subject or their legal representative, and such request must be made in writing. In general, verbal requests for Personal Data held about a Data Subject are not valid DSARs. In the event a DSAR is made verbally to a staff member of the Company, further guidance should be sought from the Data Protection Officer (hereinafter “DPO”) or the appointed privacy professional.
A DSAR can be made via any of the following methods:
DSARs made online must be treated like any other DSAR when they are received, though the Company must not provide personal information via social media channels. In addition, the Company is not required to respond to requests for information unless it is provided with sufficient details to satisfy itself as to the identity of the Data Subject making the request.
The Company must provide a response to Data Subjects requesting access to their data within 30 calendar days of receiving the DSAR, unless Dutch Law specifically dictates otherwise. Should the Company require more time, the Data Subject or his or her legal representative must be notified in writing.
The Company has the right to charge a fee for the processing of repetitive and excessive Data Subject Access Requests (as defined under the GDPR). In doing so, the Company will justify the charge and prove that the requests are excessive and repetitive in line with this Policy.
When dealing with a DSAR, the Company should take the following steps:
The Company should not normally disclose the following types of information in response to a DSAR:
Finally, it is up to the DPO who/which can advise on the decision as to whether a document can be shared or not.
In the case of a Personal Data breach, the Data Controller shall without undue delay and not later than 72 hours after having become aware of it, notify such to the supervisory authority, unless the Personal Data breach is unlikely to result in a risk to the rights and freedoms of the Data Subject. When the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.
The Data Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach. The notification shall at least contain:
When the Personal Data breach is likely to result in a high risk to the rights of a Data Subject, the Data Controller shall communicate the said breach to the Data Subject without undue delay. Such notification shall be written in a clear and plain language.
Such communication is not needed if any of the below actions are met:
If the Data Controller has not already communicated the Personal Data breach to the Data Subject, the supervisory authority having considered the likelihood of that Personal Data breach resulting in a high risk, may require it to do so or may decide that any of the conditions mentioned in the above paragraph are met.
The Company adheres to the following measures to ensure the GDPR is complied with: