GDPR FAQs.

Ve Global (Ve), as an organisation that processes personal data, takes its responsibilities under the GDPR seriously. We have been working since early 2017 to put in place mechanisms, documents, technical solutions and procedures that are designed to achieve compliance with the GDPR.

We contract directly with most of our clients to provide our services. We also make available our services to certain affiliate partner networks who are able to on-provide our services to their respective clients - in these FAQs, the term “clients” also includes clients of our affiliate partners.

This document is designed to help our clients understand our approach to the GDPR.

Who is Ve and how and why does Ve use personal data?

Ve is a technology company headquartered in the UK, with 18 offices worldwide, that provides data driven digital advertising and marketing services to over 10,000 clients.

In providing our services, we collect personal data from end users who visit our clients’ websites. We do this through the use of cookies and other similar technologies. You can find out more about the technologies we use by visiting our Cookie Policy.

The purposes for which we use personal data are explained in our Privacy Policy (see Part I in particular which explains to end users how their data is used).

In summary, we collect a variety of personal data about end users, including contact details and ‘behavioural data’ from our use of cookies. We use this personal data to create inferences about end users’ personal preferences. We use these inferences to personalise end users’ overall web experiences, for example by:

  • sending end users, on behalf of clients, personalised marketing communications, including for products that end users add to their baskets but do not initially purchase;
  • displaying personalised offers to end users when they visit client websites, or otherwise tailoring clients’ websites to end users; and
  • displaying personalised ads to end users when they visit client websites or third party websites.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the new EU legal framework governing the use of personal data across the EU. It replaces the existing EU data protection framework which is over 20 years old. It comes into effect on 25 May 2018. The GDPR is designed to give consumers more control over their personal data and applies across the EU. Regardless of Brexit, the British Government intends to implement the legislation. The European Union has published information about the GDPR at https://www.eugdpr.org.

While we are not able to advise you on your own GDPR or other privacy obligations, we recommend you take advice and review the guidance made available by the Office of the Information Commissioner (ICO) or other local regulatory bodies.

What steps has Ve taken to ensure compliance with the GDPR?

We have worked hard to ensure compliance with the GDPR taking key steps including:

  • adopting the responsibilities of a data controller, having analysed the data that we hold and collect, and how the purposes and means of processing are determined (see further below);
  • appointing a Data Protection Officer who can be contacted using the details set out below;
  • updating our legal documentation and policies, including our Privacy Policy and Cookie Policy, to explain how we collect and use personal data. Our updated Privacy Policy is available here;
  • updating and improving security measures and processes, as explained below; and
  • rolling out group wide staff training.

Is Ve a controller or processor for GDPR purposes?

Ve offers clients various solutions including:

  • Programmatic Advertising, which helps clients reach their target audience and maximise their return on advertising spend;
  • Digital Assistant, which helps clients increase online conversions by improving onsite engagement; and
  • Email Remarketing, which helps clients recover lost sales.

We are, for certain other purposes, a controller in our own right where we determine the purposes for which we process data, such as the use of our own data assets to support delivery of our solutions and for the creation of new solutions intended to benefit our clients.

For Ve’s solutions to function effectively and deliver the best results for clients, they rely not only on the use of cookies and other data collected from client websites but also on a) the inferences and other insight that can be gained about users from Ve’s own data assets and b) the expertise and decision making of Ve’s data specialists.

Typically, where we provide our solutions to a client, we are, from a GDPR perspective, a joint data controller with the client. The fact that Ve is a joint controller won’t (of itself) prevent clients from deciding how to use end user data that they collect or from deciding what marketing activities they may undertake. Rather, each client and Ve will work together as controllers, rather than one of us taking sole charge, to determine how Ve’s solutions are best delivered. This means we will ensure that we comply with all of our data protection duties for any personal data that we obtain in the course of our work with clients.

What is Ve’s legal basis for processing end user personal data?

Ve processes personal data for a variety of purposes. The legal basis on which we rely for each of those purposes is explained in our Privacy Policy. In most cases (including any profiling), we have concluded that it is in our “legitimate interest” to process the personal data. The section below explains client responsibilities which are necessary to enable us to provide our services.

What do clients need to do in the context of the GDPR and e-Privacy Directive to make use of Ve solutions?

We take our privacy related responsibilities seriously and wish, in particular, to ensure that our use of personal data is transparent and clear to end users and that end users understand the choices that they have. However, to ensure that we comply with the GDPR and that our activities are consistent with e-privacy obligations, we rely on clients to adhere to their own responsibilities under the GDPR and the Privacy and Electronic Communications Directive (e-Privacy Directive).

Client responsibilities are explained in more detail in our Framework Terms. In these Framework Terms, clients agree:

(a) to obtain any and all marketing permissions and other consents that are required under the GDPR and the e-Privacy Directive to enable us to provide our services, including in respect of cookies that we use. In our view, this means clients should (among other things) (i) use cookie banners, pop-ups or similar and (ii) assess whether they can rely on soft-opt-in under the e-Privacy Directive or need an active informed consent for us to send marketing communications in respect of products and services that they offer;

(b) to ensure, in respect of their websites and applications through which we collect personal data, that they have a compliant privacy notice that expressly names Ve as a party for whom, and by whom, personal data is collected, including a clear link to our Privacy Policy; and

(c) in respect of any marketing communications that are served to end users (including Digital Assistant and Email Remarketing) to include i) visible language within the marketing materials that makes clear Ve’s involvement, including a link to our Privacy Policy and ii) a clear and simple unsubscribe option.

How can end users opt-out of Ve’s use of their personal data?

There are various ways in which end users can prevent Ve from receiving and/or using their personal data. These are set out in the How to opt-out of our use of your personal information section of our Privacy Policy, and include:

  • the use of toggle buttons, built into our Privacy Policy;
  • the deletion of cookies on browsers;
  • using Safari’s ‘Limit Ad Tracking’ function; and
  • using the IAB Europe’s opt-out mechanism located at http://www.youronlinechoices.com/opt-out-interface.

What security measures does Ve take?

Ve takes data security seriously and has a dedicated “Information Security Committee” to ensure the security of processing and cyber security in a manner that meets the requirements of Article 32 of the GDPR (Security of processing).

Does Ve have a Data Protection Officer?

Yes. Our Data Protection Officer can be contacted at: White Collar Factory | Old Street Yard | London | England | EC1Y 8AF | Email: privacy@ve.com.