Unruly’s GDPR

Commitment Statement

GDPR Commitment Statement

The General Data Protection Regulation (GDPR) is a new European data protection law coming into force on 25 May 2018, which will harmonise the law regarding the Personal Data of individuals in the EU. Unruly and News UK are firmly committed to complying with the GDPR, and to achieve this we have invested in a GDPR Transformation Programme that reinforces and extends our existing policies and procedures on data protection. As part of our group-wide Transformation Programme we have:

  • Refreshed our current data protection policies, roles and accountabilities and created a News UK Data Governance Committee, which Unruly participates in. Unruly also has its own internal GDPR committee
  • Confirmed our cyber security measures continue to be robust and fit-for-purpose
  • Ensured we have up-to-date records of any Personal Data that we hold
  • Committed to train our people to treat Personal Data the right way
  • Designed a process for allocation of responsibilities between us and our business partners
  • Reinforced our policy on protecting Personal Data when we design new processes and ways of working

What does this mean for our audiences?

We are committed to handling personal data responsibly and compliantly. Unruly's Privacy Policy and the News UK Privacy Policy explain what personal data we collect, the purposes we use it for and how it is being protected.

What does this mean for our staff?

We are committed to ensuring that all Unrulies are supported in their work and confident that their information will be treated with respect. To achieve this we do need to collect and hold Personal Data about our workforce – including information about health, wellbeing and personal contact details.

What does this mean for our business partners?

We are committed to ensuring that all business partners that we work with achieve the same standards of data protection practices that we set ourselves. We will work with our partner companies to ensure that any Personal Data they are using on our behalf is processed fairly, lawfully and transparently.

FAQs about Unruly and GDPR

What types of personal data does Unruly collect from individuals?

We hold personal data relating to our staff, clients, business partners and our advertising activities. We do not process special categories of personal data or criminal convictions data in relation to our targeted or behavioural advertising activities. Unruly does not specifically target children and our products are specifically developed for consumption by those over the age of 18.

In respect of online advertising, Unruly collects the following information: geolocation, time and types of interactions, unique user identification, IP addresses, browser and version/device IDs, page URLs, audience segments and error messages. For more information please see our Privacy Policy.

For what purposes does Unruly collect personal data?

Unruly uses the information collected for the following purposes:

  • Digital Advertising (Interest-Based, Programmatic, Contextual and Location-Based Advertising)
  • Personalised Online Content Delivery
  • Online Content Delivery Analytics
  • Malware and Fraud Prevention and Detection

How is personal data collected?

We set a cookie containing an identifier on all users and collect IP addresses, device IDs and browser/device information.

Is Unruly a controller or processor?

We aggregate and use data collected from our network of publisher sites which offer and display our clients’ ads in order to allow us to make informed targeting decisions, therefore we are the controller in respect of this data. We may act in some circumstances as a processor, for example where certain client data passes through UnrulyX (our exchange).

What data is made available by Unruly to third parties and for what purposes?

Unaggregated data will not be made available to any third party outside of Unruly and our sub-processors. Our processors Lotame and AWS manage and process our data. AWS provides us with a scalable storage solution. We use Lotame to provide targeted advertising services. To ensure that we comply with our GDPR obligations, we require our partners to tell us for what purposes personal data will be processed and who it may be disclosed to.

Where does Unruly have operations and does Unruly transfer personal data outside of the EEA?

Unruly is headquartered in the UK and has offices in Germany, the Netherlands, Norway, Sweden, Australia, India, Japan, Malaysia, Singapore and the US. Unruly is a subsidiary of News Corp which has operations worldwide. Personal data may be processed by staff in any of those locations who may be engaged in, for example, the fulfilment of your order or the provision of support services, or by one of our suppliers (e.g. cloud platforms like AWS) who are based outside the EEA. However, we only transfer personal data where there are appropriate measures and controls in place.

What is Unruly doing to assess the GDPR compliance of third parties?

When contracting with third parties, we follow a rigorous due diligence ‘supplier on-boarding’ process which ensures that we are contracting with appropriate third parties and that contractual provisions are in place around the personal data being shared and processed.  This process considers potential privacy impacts as well as our privacy by design obligations.

What lawful bases does Unruly rely on for processing personal data?

Depending on the specific processes involved we rely on various legal bases in processing personal data - typically these will include performance of a contract, legitimate interests and where necessary, consent (for example, the placement of cookies under the Privacy and Electronic Communications Regulations 2003 and for direct marketing purposes). Please see our Privacy Policy for further details.

Is Unruly relying on legitimate interests to process personal data?

Yes. We will only rely on legitimate interests as a lawful basis where we have carried out a balancing test and found that we have a legitimate interest that is not overridden by the rights of individuals. We only rely on legitimate interests where users’ rights do not override our interests in using the data.

Is Unruly relying on consent to process personal data?

Yes. We will rely on consent where it is appropriate to do so and where it is the only lawful basis available to us. However, we believe that there are a number of processing activities, including for online behavioural advertising, where we may rely on legitimate interest and may be the most appropriate lawful basis. Where we rely on consent for certain processing activities, we are committed to complying with both the letter and spirit of the law. To that end we are working to improve transparency and control over the placement of cookies and similar technologies, as well as implementing GDPR compliance policies and processes that support the use of appropriate notices and the collection of meaningful consents for the placement of cookies.

How does Unruly capture permission to place cookies, tags and other technologies on users’ browsers and devices?

Where we are relying on consent as a legal basis for to place cookies, tags and other technologies on users’ browsers and devices, we would expect publishers to obtain this and pass through. We will be supporting the IAB GDPR Transparency and Consent Framework to pass other vendors any consent or legitimate interest signal where available via the user.ext.consent and regs.ext.gdpr fields.

Users are able to opt out via our opt-out tool.

What about your UnrulyEQ products?

Unruly’s targeting capabilities are based on unique first-party data, collected through an opt-in process that has already been rigorously audited. You’ll still be able to take advantage of UnrulyEQ Max and UnrulyEQ Lite, our pre-testing tools, and UnrulyEQ Lift for post-testing, as well as deeper Playbook reports and our audience targeting products including Custom Audiences (eg. Real Audiences, Emotional Audiences, Intender Audiences and more) and Popular Audiences (eg. Seasonal Audiences, Mover Audiences, Personality Audiences and more). Unruly takes trust and consent very seriously. We help advertisers reach consumers who are most likely to be receptive to their content and brand values.

Does Unruly have a Data Protection Officer?

Our parent company News UK has an appointed DPO who has overall responsibility for the News UK group of companies including Unruly. The DPO can be contacted at [email protected]