Using data responsibly has always been a key tenet of Sojern’s corporate data policy. We have a strong track record of providing customers with solutions that both solve their business needs and that protect consumer privacy. This approach puts privacy and security at the center of how we manage our platform, work with partners, and operate our business.
We believe GDPR harmonizes a fragmented regulatory framework in the EU, and is a positive step forward for the industry and individuals. We fully support regulation that ensures a person’s private information is protected, and have created this FAQ so customers, partners and consumers better understand the steps we are taking to comply with new GDPR legislation.
This set of frequently asked questions sets out Sojern’s approach for addressing the requirements of the European General Data Protection Regulation that went into effect on May 25, 2018 ("GDPR").
Please note that this FAQs does not constitute legal advice. It is for informational purposes only and may be updated at any time without notice. You should seek professional legal advice where appropriate.
For additional information, please contact us via email at [email protected].
Yes, Sojern collects what GDPR defines as “pseudonymous personal data.” Under GDPR, personal data is broadly defined as 'information that relates to an identified or identifiable individual". Personal data is categorized under two groups:
Sojern only collects and processes pseudonymous data to deliver its advertising services. In particular, we regularly utilize cookie IDs and mobile IDs to collect information about travel intent, such as flight searches and travel dates.
No. Under GDPR, sensitive personal data is defined as data relating to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, and/or sexual orientation. Sojern does not collect or use sensitive personal data, and it is not required to perform any operations of our platform.
Under GDPR, a "Data Controller" is a party that determines the purposes and means of the processing of personal data. A "Data Processor" is a party that processes personal data at the direction of the Data Controller.
Sojern considers its advertisers and partners as Data Controllers with respect to the data collected from their respective websites and applications. Sojern acts as a Data Processor for its advertising clients when providing advertising services on their behalf. When working with our data partners, Sojern acts as a Controller of the personal data our data partners share with us, which we then process to provide advertising services for clients.
For more information, please see https://www.sojern.com/privacy/product-privacy-policy/
In 2018, in preparation for the GDPR deadline, we implemented internal processes and policies that span all aspects of our business, operations, systems and organization in order to ensure we put the privacy of individuals first. We continue to evolve our capabilities as the regulatory landscape changes. Some of our efforts include, but are not necessarily limited to:
Sojern relies upon two bases for the processing of pseudonymous personal data to operate its online advertising business: (1) unambiguous consent and (2) legitimate interest of the data client controller.
Sojern believes “unambiguous consent” forms the primary basis for our advertisers and partners to collect and share personal data that we process in order to provide our advertising services. Unambiguous consent means (1) individuals have been provided with clear, upfront notice that online cookies are being used on the website (e.g. a cookie notice) and that the collected information will be used for marketing and advertising purposes, and (2) the individual has taken some “action” to demonstrate his/her approval to use cookies and process his/her personal data.
Sojern also believes our advertisers and partners can have a legitimate interest in the processing of personal data when used for direct marketing purposes, provided that (1) individuals can reasonably expect for their personal data to be processed for this purpose, and (2) the legitimate interest does not override the fundamental privacy rights of the individuals.
In 2017, Sojern updated its product-related privacy policy to provide additional transparency with respect to the types of data we collect and process on behalf of clients. This Sojern product-related privacy policy is publicly available to our advertising clients and partners. In addition, we have been working closely with our clients and partners to clarify data subject rights procedures and to update our respective contracts accordingly.
Users wishing to opt out, export, or delete any personal data that Sojern may have collected about them can use this tool.
Sojern Product’s use data for two distinct purposes:
For more information, please see https://www.sojern.com/privacy/product-privacy-policy/
Sojern employs online cookies and mobile device IDs to collect travel intent data from users that is pseudonymous. We do not collect information that would personally identify users, such as name, address, raw email address, social security number, or phone number Examples of the type of travel intent data that Sojern collects include destination information, dates and length of stay and number of travelers.
For more information, please see https://www.sojern.com/privacy/privacy-policy/
Sojern uses the Google Cloud Platform to host its advertising-related data. You may review Google’s GDPR compliance information here. As noted therein, Google may store data outside the EEA, and data transferred to the U.S. is deemed adequate through Sojern and Google’s commitment to Privacy Shield Certification, or can be implemented through standard contractual clauses.
In July of 2020 the Court of Justice of the European Union (CJEU) case C-311/18 determined the provisions of US laws do not satisfy requirements that are essentially equivalent to those required under EU law. While Sojern continues to evaluate the impact of this decision we continue to take the appropriate steps to ensure we provide high level privacy protection for EU citizens. Where personal data will be transferred outside of the EU to third countries not covered by adequacy decisions, we commit under our data processing agreements to maintain a mechanism that will facilitate these transfers as required by the GDPR. See Google’s Safeguards for International Data Transfers with Google Cloud for more information.
Sojern works with a limited number of third party vendor/partners when providing our advertising products to clients. Google is a notable partner for Sojern. We use Google’s Cloud Platform to host our advertising-related data and their Display & Video 360 platform to execute the advertising campaigns that we run. For Google’s GDPR compliance documentation, click here. A complete list of our third party providers can be obtained by submitting a request to [email protected].
Sojern employs industry-leading firewalls and virus protection as part of our internal security protocols for the personal data that we collect and process. In addition, we operate policies that restrict access to advertising-related personal data through ‘two-factor authentication’ by engineers on a ‘need to know’ basis. Sojern uses the Google Cloud Platform to host our advertising-related personal data and we are required to comply with all GCP security standards. For Google’s GDPR compliance documentation, click here.
Sojern is not a data broker and does not sell raw data to third parties. We process travel intent data to create travel audiences that power advertising campaigns for our clients.
Our General Counsel currently serves as Sojern’s Data Protection Officer.