GDPR

Airbridge, an attribution analytics service offered by AB180 Inc, is committed to data security and protection standards as outlined in the GDPR to empower users with their rights to data privacy and control.

Airbridge places the highest regard for users’ rights to data privacy and control by collecting and processing only what is strictly required for attribution analysis. Our strict adherence to user data privacy is evident across all our engineering - empowering data subjects with their full gamut of rights ranging from data control, deletion, retention, transfer, and more.

What is GDPR?

The GDPR (General Data Protection Regulation) is a regulation of the European Union (EU) on personal data protection, which came into full effect on May 25, 2018. It ensures the free movement of personal data within the EU member states and strengthens the data subject’s right to protect their personal data.

The GDPR sets out the rights and duties of three major roles: the data subject who owns and provides personal data, the controller who determines purposes and measures of processing personal data provided by the data subject, and the processor who performs processing on behalf of the controller.

In the case of Airbridge’s services, our clients receiving services of advertising campaign measurement and attribution, are data controllers. Customers of the clients' services, who in effect provide their personal data as members of the client company, are data subjects. Last, Airbridge, who receives the data subjects’ data through clients for data processing such as campaign measurement and attribution, acts as a data processor.

GDPR Compliance by Airbridge

Data Security

In order to keep client data secure and meet the security requirements of the GDPR, Airbridge has made the best effort to monitor and manage all kinds of tangible and intangible security threats at all times. We implement data security on various levels, including products, system infrastructure and network, data storage and transfer, access control, development, monitoring, business continuity and disaster recovery, internal and external audits, and physical and human resources security. For more information, check out Airbridge’s Information Security.

International Data Transfer

Airbridge has also consented to Standard Data Protection Clauses (SDPC, also known as Standard Contractual Clauses) in order to legally and safely receive data for data processing from clients based in the EU (controller) as well as citizens living in the EU (data subjects). SDPC, enacted and standardized by the European Commission, is the easiest way to transfer data to third countries or international organizations, guaranteed by the GDPR. As it includes the EU data protection principles, transfer of personal data to third countries or international organizations through SDPC is deemed to guarantee appropriate safeguards for the protection of personal data. For more information, check out Article 46 of GDPR.

Data Subject Request Management

Airbridge guarantees most of the data subjects’ rights included in the GDPR. These rights are based on the basic principle that data subjects themselves should be able to control their data. Data subjects can either directly exercise rights to Airbridge via electronic means such as Web UI (User Interface) listed at this link, or they can indirectly exercise rights through clients (Controller) affiliated with them. Clients can also send complaints to Airbridge conveniently by using Web UI. Airbridge, as a processor, guarantees the data subject the following rights:

  1. The right to be informed: Individuals have the right to be informed of what kinds of data are collected and processed by which data controller and processor. This is as shown in the table below.
  2. The right to erasure (also known as The right to be forgotten): Individuals have the right to have their personal data erased.
  3. The right of access by the data subject: Individuals can access the personal data that they have provided.
  4. The right to data portability: Individuals can transfer their personal data to other subjects.
  5. The right to rectification: Individuals can rectify their personal data.
  6. The right to restriction of processing: Individuals can make the data controller or data processor store provided personal data, but not process it.

Data Protection by Design and Default

Airbridge has designed and embodied data protection with the intention of keeping the data subject’s personal data secure and processing them and protecting the whole procedure ranging from collecting and processing data to providing data with respect to data security and personal data protection.

  1. Personal data are collected with the consent of the data subject.
  2. The transfer of any personal data either without the consent of the data subject or of children under 14 years old can be blocked beforehand by using an Opt-Out function of SDK.
  3. Sensitive personal data are stored and processed after being encrypted and pseudonymized.
  4. Collected personal data are never to be provided or sold to a third party.
  5. In the process of collecting, processing, and providing data, any other subjects, including staffs at Airbridge, who were not given the right, cannot access personal data.

Representative

The GDPR requires a written designation of a representative in the EU by the controller or processor not based in the EU. Contact information and address of AB180 Inc., a service provider of Airbridge, in the EU are as follows:

GDPR-Rep.eu
Maetzler Rechtsanwalts GmbH & Co KG
Attorneys at Law
c/o AB180 Inc.
Schellinggasse 3/10, 1010 Vienna, Austria

Please add the following subject to all correspondence:
GDPR-REP ID: 12799064

Information that Airbridge guides to the data subject according to the right to be informed

Types of Information
Contents
Identification and contact information of the controller and its representative (if applicable) and contact information of DPO
- Data Controller: It may differ depending on clients.
- Data Processor: AB180 Inc.
- Contact Information: compliance@ab180.co
- DPO: Wonkyung Lyu, compliance@ab180.co
Purpose of processing the personal data
To analyze the effects of mobile application advertisements
Legitimate benefits that the data controller or a third party may obtain
When advertising a mobile application, the data controller can clearly analyze the effects of advertisements as the collected data are analyzed through the processor. The data processor analyzes the effects of advertising and get payment for the services accordingly.
Recipient of personal data and types of recipients
- Recipient: AB180 Inc.
- Types of Recipient: Data Processor
Details transferred to third countries and the protection method
- Transfer Item: Collected personal data
- Transfer Countries: Republic of Korea, Japan
- Protection Method: Online transfer via a security protocol (encryption)
Period of retention or criteria applied to decide the period of retention
- Retention Period: Up to one year
- Criteria: The data processor, AB180 Inc., based in the Republic of Korea, can retain data for up to one year without a reason to retain the data, under the Personal Information Protection Act of Republic of Korea.
Existence of each right owned by the data subject
The data subject owns <Right to be informed>, <Right to be forgotten>, <Right of access by the data subject>, <Right to rectification>, <Right to data portability>, and <Right to restriction of processing>. The data subject can either exercise each right directly by oneself and transfer it to the data processor (using email or Web UI) or make a request directly to the data processor using Web UI to exercise the right.
The right to withdraw consent at any time
The right is exercised in a way that, after the data subject withdraws consent through the data controller, the data controller informs the data processor of the withdrawal by electronic means (after using an Opt-Out function of SDK, send request for data deletion using email or Web UI).
The right to lodge a complaint with a supervisory authority
Every data subject has the right to lodge a complaint with a supervisory authority without prejudice to any other administrative or judicial remedy. In this case, the data subject can lodge a complaint with a supervisory authority in the member state of habitual residence, place of work or place of the alleged infringement.
Whether the provision of personal data is a statutory or contractual requirement or obligation and the possible consequences of failure to provide such data
To analyze the effects of mobile Provision of personal data is not a statutory or contractual requirement or obligation. Without the data subject’s consent on provision of data, the data controller should stop providing data using an Opt-Out function which the data processor offers. Even if the data subject has already consented or the data have already been provided, the data subject can withdraw the consent. The data processor should not discriminate against the data subjects with respect to providing services even if the data subject does not provide personal data.application advertisements
The existence of automated decisions, including profiling, as well as how such decisions are made, and their significance and the envisaged consequences
The data provided by the data subject undergo electronic data profiling to analyze the effects of advertisements. However, the data subject is not the target of automated decision-making herein. In particular, any legal or similarly significant effects are not produced.

The best practices for clients (the controllers) wishing to conform to the GDPR

The best practices listed below can help clients conform to the GDPR. Conforming to the GDPR can help you to build customer trust and minimize the risks of regulatory restrictions if you are operating services for citizens living in the EU.

  1. Find out whether you (client) are subject to the GDPR.
  2. If you are subject to mandatory designation of a DPO as set out by the GDPR, designate a DPO who will carry out duties according to the GDPR.
  3. Find out what kind of data are collected from the data subject and in what way they are processed and stored. Identify and improve vulnerabilities that may lead to the leakage of political and technical data according to each step.
  4. Figure out the rights that should be guaranteed for the data subject and implement a measures to accept the request of the data subject in a simple way.
  5. Before collecting data from the data subject, obtain a consent on personal data collection using a ‘freely given, specific and clear, and yet unambiguous’ method. In addition, if personal data of children are to be collected, they should be processed after obtaining the consent of their legal guardian.
  6. In case of exchanging personal data with a third controller or processor, conform to the method of personal data transfer to third countries or international organizations set out by the GDPR.
  7. In case of an incident of personal data leakage, report immediately to the supervisory authority and inform the data subject of the incident. It is recommended to establish a measures for such incidents in advance.
  8. According to the GDPR, any global corporations not based in the EU should designate a representative in the EU. Designate a representative who will communicate with the EU supervisory authority.
  9. Use a 3rd party tool, such as Airbridge, that conforms to the GDPR. You can conform to the GDPR more safely and conveniently.

Resources

To make a GDPR request to AB180 Inc.: https://gdpr-rep.eu/dsrtool/12799064

To know about GDPR: https://gdpr.eu

Airbridge's Privacy Policy: https://airbridge.io/privacy-policy.html

Airbridge's Information Security Page: https://airbridge.io/information-security.html

Airbridge's Terms of Service: https://airbridge.io/terms-of-service.html