What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union (EU) to protect the privacy and personal data of its residents. This regulation, which came into effect on May 25, 2018, impacts how companies collect, store, and use personal data.

The GDPR is based on two main principles:

The right to privacy: This means that EU citizens have a right to control their personal data. They have the right to access their data, correct inaccuracies, object to processing, restrict processing, and have their data deleted in certain circumstances (the "right to be forgotten").

Data protection by design and default: This means that organizations must integrate data protection into their processing activities and business practices, from the design stage right through the lifecycle.

The GDPR applies to any company that processes the personal data of people in the EU, regardless of where the company itself is located. Thus, it has wide-reaching implications for companies worldwide.

Under the General Data Protection Regulation (GDPR), companies can process personal data under the following legal bases:
  1. Consent: This is where the individual has given clear and unambiguous consent for their data to be processed for a specific purpose.
  2. Contract: Processing is necessary in order to fulfill the terms of a contract with the individual, or to take steps to enter into a contract.
  3. Legal Obligation: Processing is necessary to comply with a legal or regulatory obligation.
  4. Vital Interests: Processing is necessary to protect someone’s life.
  5. Public Task: Processing is necessary to carry out an official function or task that is in the public interest.
  6. Legitimate Interests: Processing is necessary for the legitimate interests pursued by the company or a third party, provided these interests are not overridden by the individual’s rights and interests.
Understanding Nivafy’s Role: Data Controller vs. Data Processor

Under the General Data Protection Regulation (GDPR), Nivafy’s role in processing personal data can be categorized as either a ‘data controller’ or a ‘data processor.’ These roles determine our responsibilities when handling your personal data:

Data Controller

As a data controller, Nivafy is responsible for deciding why and how (the ‘purposes’ and ‘means’) your personal data is processed. Our duties as a data controller include:

  • Adhering to compliance measures around data collection, usage, and retention
  • Ensuring your ability to access your personal data
  • Confirming that data processors we work with fulfill their contractual obligations to process data safely and legally

Data Processor

Nivafy acts as a data processor when we process personal data on behalf of other entities. As a data processor, we must handle data safely and legally under the GDPR.

While Nivafy primarily functions as a data controller for most of our services, there are circumstances in which we act as a data processor in collaboration with businesses and other third parties. In these instances, the third-party entity must provide a valid legal basis for Nivafy to process the data.

Here are a few instances where Nivafy acts as a data processor:

Custom Audiences:

In our role as a data processor, we use businesses’ customer data to match it with people in our database to create a custom audience for advertising campaigns.

Measurement and Analytics:

Nivafy processes data on behalf of advertisers to measure the performance and reach of their campaigns. We provide insights about the individuals who saw and interacted with these advertisements.

Nivafy Collaboration Tools:

Our collaboration tools allow people within a company to work together using Nivafy’s platform. In this scenario, we process personal data to provide these services.

At Nivafy, whether we’re acting as a data controller or a data processor, we’re committed to handling your personal data with respect and within the legal boundaries of the GDPR. If you have any questions about how we handle your data, please contact us.

Data Transfers

At Nivafy, we operate on an international scale and process data within and beyond the European Economic Area (EEA). In line with existing practices, any transfers of personal data outside of the EEA must satisfy certain legal prerequisites. This also applies when we function as a processor on behalf of our advertisers and other partners. When our partners make transfers and we act as a processor, these transfers are conducted using the Standard Contractual Clauses (SCCs) instituted through our EU Data Transfer Addendum, which is referenced in the data processing terms or addendum applicable to the product.

Privacy Commitments

While we no longer rely on the Privacy Shield framework for the purposes of the GDPR Chapter V to transfer data outside of the EEA, we continue to be committed to upholding privacy regulations. We remain certified and dedicated to complying with privacy-related frameworks, implementing these in connection with certain products, including our various collaboration tools and certain advertising products. For more information, please feel free to contact us.