As part of the preparation for the General Data Protection Regulation (GDPR,) organizations need to consider to what extent they act as controllers versus when they are considered processors in their data processing activities.
The concept of controllers and processors is not new under the GDPR, but has become more relevant as controllers are facing stricter requirements of accountability. As part of our in-depth privacy impact assessment, we have evaluated our position under the GDPR, and have summarized key findings and the impact this has on our relationship with our advertisers.
Defining the data controller
Data controllers determine the purpose of the processing and the means to achieve that purpose. Determining the purpose can be thought of as determining why the processing should take place, whereas determining the means can be thought of as determining how the processing should take place. The purpose and the means can be determined alone or jointly with others.
Determining the purpose – ‘The why’
In the context of the tracking services provided by Awin, the purpose of the data processing will be determined by our advertisers. Advertisers are who determines whether or not to run an advertising campaign when participating in our affiliate network. Therefore, implementing the affiliate marketing campaign with Awin will represent the core purpose of processing the personal data used for our tracking technologies.
In the operation of the affiliate network, Awin has determined the general economic model associated with the processing, namely the payment of sales commissions by advertisers to publishers and network fees to Awin, based on a percentage of the commission payable. Accordingly, Awin determines elements of the purpose of the data processing.
Determining the means – ‘The how’
In determining the means, or ‘the how,' it needs to be considered who decides on the essential aspects of the processing. According to the Article 29 Data Protection Working Party Opinion 1/2010, "the means include both the technical and organizational questions where the decision can be well delegated to processor and the essential elements, which are traditionally and inherently reserved to the determination of the controller, such as 'which data shall be processed?,' 'for how long shall they be processed?,' 'who shall have access to them?,' and so on.”
Regarding tracking, Awin determines essential elements of the means of data processing. This includes the determination by Awin of personal data to be processed to facilitate tracking. Data processing examples include:
- Tracking domain cookies and the journey tags
- Device Fingerprinting
As noted above, the purpose and means can be determined jointly with others, whereby those involved in the data processing will be considered joint controllers under the GDPR.
As in Awin’s relationship with the advertisers, the purpose will predominantly be determined by our advertisers, whereas the means will principally be determined by Awin.
Therefore, we consider that in the ordinary course of our business, Awin acts as a data controller jointly with the respective advertiser.
What this means for Awin and our advertisers
As joint controllers, we will assume the same obligations under the GDPR as our advertisers. This means we will have shared responsibility in safeguarding the data we use for our tracking purposes, and will be subject to the same obligations and level of accountability before data protection authorities.
Naturally, this also means the traditional controller-processor model will not apply within our relationship. Instead Awin and its advertisers will have to regulate their relationship as joint controllers.
To ensure we formalize this arrangement correctly, we have introduced a template data processing agreement defining our obligations and relationship as joint controllers.
We will be reviewing our existing data processing agreements to make sure our current set-up will be factually and legally correct under the GDPR in the coming weeks, and will of course keep you updated with these changes.
What about publishers?
Awin is still investigating its data processing relationship with publishers ,and we will share our evaluation shortly.
In the meantime, if you have any questions regarding the GDPR, get in touch here.
Local data protection authorities explain data processing and controlling in further detail. The Information Commissioner’s Office (ICO) in the UK provides some useful examples of when a company is considered a controller and/or processor for additional context here.