TradeTracker is internationally present, and as members of the online community, we know better than anyone the internet’s ability to make national borders irrelevant.
Our global office presence helps us remain approachable and relevant to individual national markets, while also opening a network of potential international partners.
An ambition to grow has led to our presence in over 19 different countries, while we continually make plans for our next big venture.
At TradeTracker, privacy and data protection is important to us. The new General Data Protection Regulation (GDPR) is set to significantly change the data protection landscape in Europe (and beyond). TradeTracker is committed to embracing this change. Information about the role of TradeTracker is described in TradeTracker’s GDPR white paper .
In the first instance, TradeTracker determines what information to track, and how to track it, and based on which technology. TradeTracker then informs the advertiser on the measures to be implemented to be able to make use of the services of the network, and under which economic model these services are carried out.
It is based on the outcome of the balancing test and the principle that the data used in the course of executing the tracking activities are based on data which carries a very low risk of negative impact on the data subject’s interest and will not result in a high risk to individuals being tracked.
Affiliates are a data controller when they provide for a newsletter subscription or otherwise have a (contracted) relationship with visitors – being their customers.
Whether one is controller or processor depends on the relevant party. It is important to understand the position of the party, as defined in the GDPR. A data controller is the entity which determines the purpose and manner for which data is processed, either by itself or alongside others. This means that the data controller determines ‘why’ data is processed.
The data processor, on the other hand, does not make decisions as to why the data should be processed. However, it can make some limited decisions about ‘how’ the data should be processed. This means, for example, a data processor may make decisions about the type of software used in the processing, but it may not make decisions about the essential elements of the processing. A key essential element of processing is which personal data to process. Therefore, if a data processor, while assisting the data controller in achieving its purposes, decides what data should be processed to achieve those aims, it will most likely become a data controller jointly with the first controller.
This is up to each party to determine. TradeTracker processes personal data as a Data Controller with regards to the tracking of transactions under article 6.1 (f) – legitimate interest. Under Article 6.1 of the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
No, we will not sign a data processing agreement, but instead an arrangement. Both the merchant and TradeTracker are Data Controller, making us Joint Controllers. Also, certain information will remain in the TradeTracker system even after the contractual obligations are completed, for the sake of reporting to other (previously) involved parties. This is part of the reason why TradeTracker is (also) a Controller.
TradeTracker also positions itself as a data controller, not a processor, for the purpose of the affiliate program. Under article 26 of the GDPR where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall determine their respective responsibilities for compliance with the obligations under this Regulation in a transparent manner, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 of the GDPR, by means of an arrangement between them.
No, this is not standard procedure since TradeTracker (also) positions itself as a data controller for the purpose of the affiliate program. The affiliate and TradeTracker are both Data Controllers, making us Joint Controllers for which parties need to agree on how to handle respective responsibilities.
TradeTracker is a Data Controller in respect of the affiliate program. In this case the merchant and TradeTracker are joint controllers, whereby the agency has certain obligations it needs to meet under the Data Processing Agreement it has in place with the merchant. In this case, Article 26 arrangements need to be in place between the Agency and TradeTracker and the addendum is often sufficient. If the agency insists to have (only) standard data-removal articles added to the addendum, to meet their obligations, this amendment is possible since it is a general requirement under GDPR for data to be removed upon request.
There is no need to explicitly mention the individual parties you share data with or use as (sub-) processor. However, the category of recipients needs to be specified as third parties, in which case the TradeTracker service relates to e.g. online marketing services. Customers are allowed to create their own statement or alternatively may use the following text example:
[Merchant/Affiliate] makes use of the services of TradeTracker.com. Their role is to help advertisers and publishers understand which advertisements displayed by publishers have generated which sales, leads or other actions for advertisers. This allows the advertiser to pay a publisher only when the advertisement displayed (or any alternative required action) by the publisher refers an individual to the advertiser and that individual makes a purchase. TradeTracker uses data, including cookies, to achieve this understanding. This data relates to individuals but does not identify them by name. It is pseudonymous data and relates to a single referral by an individual from one website to another, and then a confirmation that a purchase was made.
TradeTracker also maintains a database of references to individual’s devices, so that they can understand whether an advertisement viewed on one device, for example a phone, caused a purchase to be made by that individual on one of their other devices, for example a laptop. This database does not allow people to be identified by name, which is not possible for TradeTracker itself to achieve.
TradeTracker does not build profiles which show an individual’s internet purchase history over a period of time. TradeTracker also does not target individuals with advertisements for products and services based on their perceived interests. Their role is simply to measure the effectiveness of specific online advertisements.
Yes, there is a possibility to opt-out of TradeTracker cookies. Publishers can apply the TradeTracker ‘deny-handler’ to opt-out from TradeTracker cookies.
On one hand, cookie consent is required for placing any non-functional cookie, irrespective of whether personal data is included in such cookie. On the other hand, data consent is one of the lawful grounds to process personal data, referring to Article 6.1(a) of the GDPR. Therefore, giving consent to cookies being placed and giving consent to data being processed can be two very different things.
TradeTracker does not depend on consent from the individual / data subject, due to the legitimate interest as a legal basis for processing personal data. The processing of personal data and consent for cookies however are two separate things to consider.
In certain countries, like the Netherlands, affiliate cookies are exempted from requiring consent as required under the current ePrivacy Directive. Hence, the explicit consent is not required for this type of cookies unless they contain personal data.
If a user explicitly opts-out of cookies and this information is adequately passed on to TradeTracker, the user expects cookies to not be set. In general, only when the user explicitly requests to opt-out from TradeTracker processing their personal data the transaction is not tracked. Alternative tracking methods are used otherwise, and transactions will generally be tracked.
Yes, if data provided to TradeTracker is considered personal data. For example, the Order ID is considered personal data and consequently parties need to make arrangements with regards to that data. Such arrangements are provided for under the standard merchant agreement and alternatively standard GDPR-addendum.
Under the current ePrivacy Directive there is no obligation to provide a possibility to reject cookies. Instead, the website provides a well-informed consent requirement to the user. The alternative is to leave the website.
TradeTracker only stores the data for as longs as is required to achieve the purpose for the particular processing of the data but removes any personal data [maximum 24 months] after the contract is terminated or after transactions are invoiced and paid out to the affiliate depending on the type of data.
Data related to the services of TradeTracker and performance of the contractual obligations between the network, merchants and affiliates are physically stored in the EU / EEA.
The TradeTracker platform is built to provide limited access to users, depending on their need to work with such information. Masking the last octet of IP-addresses is sufficient in the interfaces since it is only visible to the users operating under the contractual terms. Outside the UI the data is pseudonymized and therefore complies with GDPR. The information available to TradeTracker staff is used for fraud prevention.
Based on the limited personal data gathered by TradeTracker, the only information to possibly be removed is transactions data connected to an IP address. However, this can only be achieved by either receiving order IDs from the merchant, or the user sharing the IP address. The latter not being reliable due to its changing character.
Alternatively, the user refers to personal details (like contact details) provided as an affiliate. These can be anonymized upon request or alternatively will be removed according to internal policies.
As the consumer starts its journey on the publisher’s site, the publisher is responsible to safeguard the visitor’s personal data, for example, by operating under SSL protocols. This means that as the visitor continues its journey to the merchant, it passes via TradeTracker servers through secured connection. Here, TradeTracker is responsible for the adequate processing and safeguarding of the data. Subsequently, as the visitor browses the site of the merchant, it is the merchant’s responsibility to safeguard the data.
Data centres and applied infrastructure are built in clusters in various regions. All data centres are online and serving customers; no data centre is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data centre failure, there is sufficient capacity to enable traffic to be load balanced to the remaining sites. Furthermore, Processor makes use of DDOS mitigation technologies.
Data processing locking mechanisms make sure the Data is only processed if prior processes have completed successfully. This means that integrity of the data is guaranteed.
Personal Data is encrypted, and only selected employees have access to the processing actions of the Dat. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee or otherwise involved with the company.
Adequate review of policies and applications are executed every six months. TradeTracker is assisted by third party legal advisors to review continued compliance.
Upon request of Controller, Processor or Data Subject, TradeTracker undertakes to provide records of any Data Subject and has devised a streamlined process to adhere to such requests in a timely manner.
TradeTracker makes use of various monitoring and logging tools on both application and infrastructure level. All data processed through such activities is fully compliant with privacy policies.
Individual records containing any Personal Data are stored with a ‘time to live’ (TTL) and will be removed or destroyed / anonymized at such point.
Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, providing the tools that enable AWS to run a wide range of applications.
Among others, the following measures are adhered to by AWS: AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
We understand that the new GDPR regulations may cause queries to come up. For further questions concerning TradeTracker and the GDPR you can email: [email protected]