80 members attended the latest of a series of member-only events aimed at providing practical insight on both GDPR and the ePrivacy Regulation and featured updates from Facebook, Snap, Lewis Silkin and Bristows.
Below is an overview from the event, highlighting some of the key themes and takeaways.
Facebook & the GDPR
- Is Facebook a data processor or a data controller? While Facebook mostly operates as a data controller, there are certain instances where they act as a data processor, for example when working with businesses and other third parties and processing data for custom audiences, ad-measurement and analytics.
- Where Facebook acts as the data processor, they rely on their advertisers to satisfy most of the GDPR obligations, including ensuring there’s a legitimate basis to process data, as well as providing transparency, access, and control (where required).
- Advertisers may be able to rely on several legal bases for the data processing, including contractual necessity, legitimate interest, or consent.
- Measurement, in particular, offers a strong case for legitimate interest as there is a clear business interest in measuring ads. If legitimate interest is only used to create aggregate reports the risk to the privacy interests of data subjects is relatively low.
- Gaining consent will sometimes be the advertiser’s responsibility, sometimes Facebook’s and sometimes both parties will be dependent on each other.
- Find out more here >
- Insights provided by Olivia Roach, Associate General Counsel, Advertising, Facebook.
ISBA/IPA Model Clauses for client/agency contracts
- Newly created clauses from ISBA and the IPA which outline key GDPR responsibilities.
- The clauses are relevant for data-light and data-heavy contracts.
- The model clauses should be published shortly. Find out more about them here >
- Insights provided by Debbie Morrison, ISBA and Simon Morrissey, Lewis Silkin.
The ePrivacy Regulation
- Bristow's Sacha Wilson provided an update on the latest developments with the ePrivacy Regulation, which is available to view here >
Snap & the GDPR
- Gaining parental consent for children under 16 years of age is critical for Snap.
- All data collected is audited and has a short retention period, which they claim is unique.
- Insights provided by Katherine Tassi, Deputy General Counsel, Privacy & Product, and Claire Valoti, General Manager, Northern Europe, Snap Inc.