The questions and answers in this Guide are designed to give you an understanding of how European privacy regulations – the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) applies to Cheetah Digital, how Cheetah is achieving compliance, and how the European approach to privacy informs our Customers' use of our marketing platforms and services (“Services”).
Privacy is necessarily contextual. Since every company, from its business objectives to operational realities, is different, what is an appropriate privacy practice for one organization may not be for another. In providing our own view on this complex topic, Cheetah Digital makes no guarantees about compliance with any law or regulation, European or otherwise. While we hope this Guide is informative, we do not intend for it to be construed as legal advice.
If you have additional questions about Cheetah Digital after reviewing the information and our privacy policies, please contact our Privacy Office.
What is the EU General Data Protection Regulation (GDPR)?
Set to replace the European Union’s Data Protection Directive 95/46/EC, the General Data Protection Regulation seeks to update and harmonize privacy laws across Europe while providing individuals in the EU (“Data Subjects”) with enhanced control over their personal data. At its core, the GDPR challenges organizations to make privacy a key factor in customer, product and partnership decisions.
The GDPR tasks all organizations to:
"address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data"
"demonstrate compliance with this Regulation", and
"[take] into account the rights and legitimate interests of data subjects and other persons concerned."
The GDPR will also empower the existing ePrivacy Directive 200258/EC (and its proposed replacement, the ePrivacy Regulation) which sets out specific rules and obligations for the way organizations interact with online individuals located in the European Union. The GDPR goes into effect on May 25, 2018.
How is Cheetah Digital meeting requirements under the GDPR?
A cross-functional GDPR team is working proactively to ensure readiness across our global organization by May 25 and beyond. We have completed an assessment of our systems and processes relating to personal data, and are implementing mechanisms to further ensure the accountability, transparency and proportionality of our personal data uses as an enterprise and service provider.
Cheetah Digital is committed to complying with the GDPR’s information security, record keeping, and notification requirements, and will support our Customers with providing consumers access to their itemized rights under the Regulation. We have appointed a Data Protection Officer to independently oversee our GDPR program and to represent the interests of EU individuals whose personal data we handle as both an enterprise and a service provider.
Cheetah Digital Services
Our platforms and services are built with privacy in mind, employing transparency, data minimization and permission-based policies. Our focus is on email delivery and cross-channel campaign management which enable our Customers to communicate directly and effectively with their customers and subscribers. Cheetah Digital does not unilaterally collect or share our Customer’s data, engage in online surveillance or broker audience profiles for ad targeting purposes. For more information about our privacy practices as related to our product offerings, please refer to our Services Privacy Notice.
Obtaining Data Subject end-user consent
As a participant in the digital marketing ecosystem, our Services are covered under to the ePrivacy Directive, which requires additional transparency and consent(s) for the delivery of commercial electronic messages, the placement of certain cookies, collection of mobile device data and other unique IDs, and the responsible handling of electronic communications data in general. As a permission-based service provider we rely on cooperation from our Customers and their third parties to ensure that messaging end-recipients are sufficiently notified and appropriate consent(s) are obtained to enable message delivery and remarketing use cases, as well as the analytics driving critical engagement measurement and reporting. We encourage our Customers to evaluate whether they can achieve the higher standard for consent under GDPR and as premeditated in our terms of service and Global Anti-Spam Policy.
We are following the issue of consent for cross-channel uses closely, including the adtech industry’s response to these evolving standards under the GDPR-empowered ePrivacy Directive, and are prepared to move quickly as a vendor where appropriate.
Honoring Data Subject Rights requests
Chapter 3 of the GDPR introduces new and enhanced rights with respect to their personal data. These Rights are:
Right to be informed (about processing activities and applicable rights)
Right to access data (or obtain data being processed)
Right to rectify information (when outdated or incorrect)
Right to erasure (and to be publicly forgotten)
Right to object to processing (particularly activities based on consent)
Right to restrict processing (when processing is deemed to be unlawful)
Right to data portability (between proprietary systems in a common format)
Rights related to automated decision making (including decisions based on profiling activities)
As a Data Processor, Cheetah Digital has developed technical and procedural processes to support our Customer’s efforts to honor Data Subject Rights most applicable to our Services. Our platforms already natively support Rights which do not require additional identity verification and request validation steps to be taken by our Customers. This includes the ability of individuals to object to electronic marketing (through in-email opt-out facilities), to update their contact details (using preference centers we may host for our Customers), and to lodge complaints about unwanted or unsolicited communications (using automated and managed abuse feedback facilities). Our efforts to support our Customers’ compliance objectives with these and other aspects of the GDPR are ongoing and will continue to evolve to meet our mutual needs.
Privacy breach notification
Cheetah Digital has an established, risk-based incident response management process. These meet the data breach requirements under GDPR and precursor EU data protection law. Breach reporting to Customers (and applicable national regulators) will be coordinated with our Security, Privacy and Legal teams, as well as our Data Protection Officer as required.
We will notify Customers as soon as reasonably practicable but at least within 72 hours after confirmation of a breach affecting Customer personal data.
Data protection and retention
We have a comprehensive global information security program governing the confidentiality, accessibility and integrity of client data. Our security posture is modeled after ISO 27001/2 standards and is subjected to annual SOC 2 Type II audits by independent examiners. With regards to IT systems, we ensure all components of our technology stack are properly secured. This begins with end user laptop encryption and end point protection solutions (DLP). Also, in compliance with GDPR Article 35 we have enhanced our product development and governance processes to review existing and new products for privacy risk. Through this exercise we identify, classify, manage our use of and protect personal data under our care.
We retain the personal data provided to us by our Customers or that we collect on behalf of our customers for the length of time needed to fulfill our Services as discussed in our Services Privacy Notice. This is generally for the life of the contract unless a shorter retention period is requested by the customer, and as set out within our platform retention schedules. We believe our retention of Customer data is necessary, minimal and proportional to our business needs and interests.
Cross-border data transfers
Cheetah Digital is a global service provider and follows a follow-the-sun support model. EU residents’ personal data may be transferred to or accessed from outside the EU/EEA by Cheetah personnel within our international support locations, notably in the United States.
We have the European Commission’s standard contractual (model) clauses in place in contracts between Cheetah Digital group companies and with our Customers to secure data in line with European standards. Under our global service model, any Cheetah Digital company may have access to the personal data of EU residents and the clauses in these contracts ensure that any personal data exported outside of the EU/EEA is suitably protected.