Privacy compliance in Europe is about to change significantly. In a new regulation adopted by the European Union, data protection that targets users has come to the forefront, in a move to define and strengthen what business can and cannot collect about their userbase. It’s time Adjust looked at the GDPR in a little more detail, to understand what it could mean for our customers.
But first, let’s get straight to the question that you probably have for us.
Is Adjust GDPR compliant?
Yes, we are.
Adjust is ePrivacy certified, which is a well-known, highly respected German company that evaluates if companies comply with applicable Data Protection Laws. As we are certified, we already comply with laws set out in the GDPR. We have further documentation in place which can be requested if necessary.
We are now required to have a data processing agreement (known as a DPA) in place for every client. Fortunately, all of our clients should already have one in place as they make up part of our terms and conditions as well as our physical contracts we sign with clients. If you don’t already have one in place, it’s easy to sign one with us. We also have the requested documents like Technical and Organisational Measures (TOMs), procedure index and deletion policy in place as well.
For data storage information - Adjust stores all data of our European clients in Europe. Our main servers are located in Frankfurt, Germany and our back-up server is located in Amsterdam, Netherlands. We have proper servers on the ground and no cloud services, so there are no third parties to consider in our structure, should you need to map your data flow.
The legislation affects all businesses who want to work inside of the EU, even if the company is based outside of the region. The only thing that matters is where the user is based the moment you are collecting their data (Art. 3 GDPR). As Adjust is based within Germany, we’re used to adhering to stringent privacy laws. If you’re tracking with another attribution provider, you would need to check that they are also compliant with the ruling if you are tracking European users.
Finally, your customers can opt-out of Adjust tracking if they would like to. You can allow users to do this directly in your app, or direct your users to Adjust’s opt-out page.
With that, let’s dive into the details on what the GDPR is, and how it will affect app businesses.
What is the GDPR?
The European General Data Protection Regulation (known as the GDPR) is a new set of rules created by three bodies: the European Parliament, the European Council and the European Commission. This new law has been designed to strengthen and unify data protection for all individuals within the European Union (EU), though it also addresses the export of personal data outside the EU as well.
The GDPR, in essence, aims to give control of personal data back to citizens and residents, and to simplify and harmonize the regulation for international business by unifying the regulation within the EU.
Personal data is defined as being any record that could identify an individual, such as names, phone numbers and addresses. It has also been extended to digital identifiers such as IP addresses, cookie IDs, digital fingerprints, and user IDs (Art. 4 Nr. 1 GDPR).
The new law creates a much higher standard that businesses can be held to, and large fines of up to €20m, or 4% of global GDP per business are in place for failure to comply with the legislation.
The GDPR becomes enforceable on May 25th, 2018. It does not require national governments to pass any enabling legislation, and is therefore directly binding and applicable.
The regulation also gives users:
- The right to be forgotten: users can now request to have their data deleted
- The need to provide explicit consent: businesses now have to ask users to collect, use and process data
- Mandatory data breach notifications: if a data leak occurs, authorities and users must be notified within 72 hours
- Privacy by design: data protection is a vital consideration throughout a project lifecycle
- A Data Protection Officer: Large enterprises are now required to employ someone dedicated to managing data protection
While the content on this page is designed to help you understand the GDPR when working with third parties, the information contained should not be construed as legal advice. You should consult with your own legal counsel with respect to interpreting your unique obligations under the GDPR and the use of a company's products and services to process personal data.