With the GDPR now going into effect, we would like to share the work we have been doing to get ready. In the run-up to Friday, May 25, we assembled a dedicated internal team composed of key personnel from our management, product, R&D, IT, security and HR teams. Our GDPR-readiness process was also overseen by a dedicated in-house privacy counsel and a leading data protection firm in the EU. This ensures that, beyond May 25, ironSource is prepared for the GDPR and ready to help our wide range of partners to comply.
Our platform restricts personalized advertising
We built our GDPR-readiness plan with our partners and their end users in mind. Therefore, we decided that by default we will not serve personalized advertising in the European Economic Area (“EEA") or Switzerland, nor do we create any profiles or segments of end users in these countries. Accordingly, in these countries, we also will not allow our corporate affiliates and advertisers to serve personalized advertising. By restricting personalized advertising, we do not need user consent to serve advertising.
Consent API for mediation partners
We understand that some of the mediated ad networks in our mediation platform, do require consent to serve personalized ads. Accordingly, we have a consent API available in the latest version of our SDK that allows publishers to easily pass consent to such third-party mediated ad networks, if they choose to serve personalized ads where the GDPR applies. The consent API documentation is available here.
Data subject requests
We have implemented mechanisms to support deletion and access requests from partners and end users. The following document explains the procedure for submitting data subject requests more fully.
Data protection addendums & transferring data outside of the EU
Under the GDPR, ironSource is classified as a data processor for most of our advertising activities, and is a controller only for a very limited number of additional processing activities (including frequency capping, fraud detection, and basic internal operations related to security and debugging). Accordingly, we have entered into data processing addendums with our publishers and advertisers to comply with the terms of Article 28 of the GDPR. These addendums are now part of our standard agreements, so any new partner gets the necessary addendum by default, and does not need to request it specifically. These addendums also contain Standard Contractual Clauses to allow us and our partners to transfer data outside of the EU to the extent relevant. Please note that when data is transferred to our headquarters, it will be transferred based on the adequacy decision by the European Commission with respect to data transfers to Israel (i.e. a decision that permits transfers to a country outside of the EU without the need for any additional certification or agreement).
Our ongoing process
Being GDPR-ready is not enough. Data protection is an ongoing process, and we expect that new standards and guidelines will continue to emerge in the coming months and years. We keep a close eye on such developments, and work hard to make sure our products, including any new products and features, are designed and updated in accordance with such standards, and with the privacy of users in mind.