GDPR FAQ | Sojern

Sojern’s Perspective on GDPR and FAQ

Last Updated: May 22, 2018

Using data responsibly has always been a key tenet of Sojern’s corporate data policy. We have a strong track record of providing customers with solutions that both solve their business needs and that protect consumer privacy. This approach puts privacy and security at the center of how we manage our platform, work with partners, and operate our business.

We believe GDPR harmonizes a fragmented regulatory framework in the EU, and is a positive step forward for the industry and individuals. We fully support regulation that ensures a person’s private information is protected, and have created this FAQ so customers, partners and consumers better understand the steps we are taking to comply with new GDPR legislation.

Introduction

This set of frequently asked questions sets out Sojern’s approach for addressing the requirements of the European General Data Protection Regulation that is scheduled to go into effect on May 25, 2018 (“GDPR”).

Please note that this FAQs does not constitute legal advice. It is for informational purposes only and may be updated at any time without notice. You should seek professional legal advice where appropriate.

For additional information, please contact us via email at sojernprivacy@sojern.com.

Frequently Asked Questions

1: Does Sojern collect and process personal data as defined within GDPR?

Yes, Sojern collects what GDPR defines as “pseudonymous personal data.” Under GDPR, personal data is broadly defined as information that relates to an identified or identifiable individual. Personal data is categorized under two groups:

    • Personal data that can directly identify an individual, such as name, address, phone number and social security number.
    • Pseudonymous data, which allows behaviors of an individual to be collected but does not directly identify that individual. Examples of pseudonymous data include cookie IDs, mobile device IDs and hashed emails.

Sojern only collects and processes pseudonymous data to deliver its advertising services. In particular, we regularly utilize cookie IDs and mobile IDs to collect information about travel intent, such as flight searches and travel dates.

2. Does Sojern store “sensitive personal data” as defined within GDPR?

No. Under GDPR, sensitive personal data is defined as data relating to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, and/or sexual orientation. Sojern does not collect or use sensitive personal data, and it is not required to perform any operations of our platform.

3. Is Sojern a Data Controller or Data Processor as defined by GDPR?

Under GDPR, a “Data Controller” is a party that determines the purposes and means of the processing of personal data. A “Data Processor” is a party that processes personal data at the direction of the Data Controller.

Sojern considers its advertisers and partners as Data Controllers with respect to the data collected from their respective websites and applications. Sojern acts as a Data Processor for its advertising clients when providing advertising services on their behalf. When working with our data partners, Sojern acts as a Controller of the personal data our data partners share with us, which we then process to provide advertising services for clients.

For more information, please see https://www.sojern.com/privacy/product-privacy-policy/

4. Is Sojern GDPR compliant?

When GDPR goes into effect on May 25th, Sojern will be compliant with the new regulations. In preparation for the GDPR deadline, we have implemented new internal processes and policies that span all aspects of our business, operations, systems and organization. These include:

  • Data mapping all personal data across internal and external systems.
  • Completing due diligence of our third-party vendors with respect to personal data under GDPR. You may request a list of our third-party vendors by contacting us here: sojernprivacy@sojern.com.
  • Adopting the principles of privacy “by design” to ensure that best practices are built into the early stages of designing new products and services.
  • Updating our relevant legal agreements to support GDPR compliance obligations.
  • Preparing processes to address inquiries from individuals about their personal data.
  • Enhancing security protocols, procedures, and incident response preparation.
  • Providing Sojern employees with relevant training with respect to GDPR and personal data.

5. Has Sojern identified and documented what legal basis we rely upon for processing personal data in connection with its online advertising business?

Sojern relies upon two bases for the processing of pseudonymous personal data to operate its online advertising business: (1) unambiguous consent and (2) legitimate interest of the data client controller.

Sojern believes “unambiguous consent” forms the primary basis for our advertisers and partners to collect and share personal data that we process in order to provide our advertising services. Unambiguous consent means (1) individuals have been provided with clear, upfront notice that online cookies are being used on the website (e.g. a cookie notice) and that the collected information will be used for marketing and advertising purposes, and (2) the individual has taken some “action” to demonstrate his/her approval to use cookies and process his/her personal data.

Sojern also believes our advertisers and partners can have a legitimate interest in the processing of personal data when used for direct marketing purposes, provided that (1) individuals can reasonably expect for their personal data to be processed for this purpose, and (2) the legitimate interest does not override the fundamental privacy rights of the individuals.

6. How does Sojern work with its advertising clients and partners to communicate transparent privacy practices and controls as required under GDPR?

In 2017, Sojern updated its product-related privacy policy to provide additional transparency with respect to the types of data we collect and process on behalf of clients. This Sojern product-related privacy policy is publicly available to our advertising clients and partners. In addition, we have been working closely with our clients and partners to clarify data subject rights procedures and to update our respective contracts accordingly.

7. How is Sojern planning to implement the Right to Erasure (a/k/a Right to be Forgotten)?

Users wishing to opt-out of processing of personal data by Sojern and/or to have their personal data deleted can elect to do so by clicking on the Sojern opt-out link (Sojern opt-out), which is readily available from every advertisement delivered by Sojern as well as on our Product Privacy Page. This opt-out mechanism has been certified by TrustArc (f/k/a Truste) here.

Users wishing to learn more about any personal data that Sojern may have collected about them can submit a request in writing to Sojern at: sojernprivacy@sojern.com. Subject to appropriate verification of the data subject, Sojern will comply with such requests.

8. What does Sojern do with the data it collects?

Sojern Product’s use data for two distinct purposes:

    • The first is to process general travel intent signals, which may be associated with an online cookie IDs or mobile device IDs to create traveler audiences across web and mobile experiences.
    • The second is to deliver advertising campaigns based on these travel audiences across digital media channels.

For more information, please see https://www.sojern.com/privacy/product-privacy-policy/

9. What types of data does Sojern collect?

Sojern employs online cookies and mobile device IDs to collect travel intent data from users that is pseudonymous. We do not collect information that would personally identify users, such as name, address, email address, social security number, or phone number Examples of the type of travel intent data that Sojern collects include destination information, dates and length of stay and number of travelers.

For more information, please see https://www.sojern.com/privacy/product-privacy-policy/

10. Where does Sojern store advertising-related personal data that it processes?

Sojern uses the Google Cloud Platform to host its advertising-related data. You may review Google’s GDPR compliance information here. As noted therein, Google may store data outside the EEA, and data transferred to the U.S. is deemed adequate through Sojern and Google’s commitment to Privacy Shield Certification, or can be implemented through standard contractual clauses.

11. Does Sojern utilize sub-processors or share personal data with other third parties?

Sojern works with a limited number of third party vendor/partners when providing our advertising products to clients. Google is a notable partner for Sojern. We use Google’s Cloud Platform to host our advertising-related data and their Doubleclick platform to execute the advertising campaigns that we run. For Google’s GDPR compliance documentation, click here. A complete list of our third party providers can be obtained by submitting a request to sojernprivacy@sojern.com.

12. What is Sojern’s approach to securing personal data?

Sojern employs industry-leading firewalls and virus protection as part of our internal security protocols for the personal data that we collect and process. In addition, we operate policies that restrict access to advertising-related personal data through ‘two-factor authentication’ by engineers on a ‘need to know’ basis. Sojern uses the Google Cloud Platform to host our advertising-related personal data and we are required to comply with all GCP security standards. For Google’s GDPR compliance documentation, click here.

13. Does Sojern resell personal data?

Sojern is not a data broker and does not sell raw data to third parties. We process travel intent data to create travel audiences that power advertising campaigns for our clients.

14. Do you have a Data Protection Officer?

Our General Counsel currently serves as Sojern’s Data Protection Officer.