IAB Europe processes personal data in accordance with applicable data protection laws, in particular the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).
3.1 Collection of data
IAB Europe collects or obtains data from Data Subjects from the following sources:
3.2 Data processed by IAB Europe
IAB Europe processes, for the purposes listed in Section 4, the following types of data:
3.2.1 « Cookies »
When you visit the Websites we will place Cookies on your device, or read Cookies already placed on your device, subject to obtaining your consent where required.
For the website https://register.consensu.org/, IAB Europe uses a single session cookie named __RequestVerificationToken to ensure the website functions properly.
3.2.2 Data received automatically by our servers
When the User, the Member or TCF Participant accesses the Websites, the relevant servers automatically receive information about their device (such as the IP address of their Internet connection or the type of browser or operating system used. Such information is not logged nor processed for other purposes.
When users install and access the Chrome extension named “CMP Validator”, information about their device (such as the IP address of their Internet connection) is sent automatically to IAB Europe's servers when loading resources that are necessary for the CMP Validator to operate properly. Such information is not logged nor processed for other purposes.
3.2.3 Special categories of personal data
IAB Europe does not seek to collect or otherwise process special categories of personal data understood in accordance with GDPR art. 9 in the ordinary course of its business. Where it becomes necessary to process special categories of personal data of Data Subjects for any reason, IAB Europe will only do so in compliance with the law.
4.1 General purposes
The purposes for which IAB Europe may process the personal data of Data Subjects, subject to applicable laws, include:
4.2 Legal bases for processing
IAB Europe uses physical, technical and administrative measures to protect the Users’ information against loss, theft and unauthorised use, disclosure or modification.
We may provide your data to companies that provide services to help us with our business activities (‘data processors’), e.g. companies that support our ICT Infrastructure. These companies are authorised to use your personal data only as necessary to provide these services to us.
IAB Europe transmits the data of Data Subjects to third-party services to the extent to which these data are required for the performance of the relevant Services. Any such partner will not communicate these personal data to third parties, except in the following situations: (i) if and to the extent that this communication is necessary for the contract’s performance, and (ii) if the partner is obliged to communicate certain information or documents to a public authority, as required by law, such as to comply with a subpoena, or similar legal process and (iii) if IAB Europe is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/ or prominent notice on our Websites of any change in ownership or uses of your personal data, as well as choices you may have regarding your personal data. The communication of information to the persons set out in point (ii) shall, in any case, be limited to that which is strictly necessary or required by applicable laws.
If IAB Europe engages a third-party processor to process data of Data Subjects, the processor will be subject to binding contractual obligations to: (i) only process the data in accordance with IAB Europe’s prior written instructions; and (ii) use measures to protect the confidentiality and security of the data; together with any additional requirements under applicable laws.
Some of our data processors are located outside the EU (‘third countries”). Certain third countries have been officially recognised by the European Commission as providing an adequate level of protection. You can find the list of these countries here. Transfers to our data processors located in other third countries take place using an acceptable data transfer mechanism, such as the EU-U.S. Data Privacy Framework that allows the transfer of data from the EU to US companies certified under this framework, the EU Standard Contractual Clauses or Binding Corporate Rules.
IAB Europe will only retain the Users’ and Members’ data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
The determination of the appropriate retention period for the Users’ data is based on the purposes for which we process it, whether we can achieve these purposes through other means, the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, and the applicable legal requirements.
For some of the purposes mentioned in section 4.1. or for purposes of which you may be informed separately, IAB Europe may anonymise the User’s personal data so that it can no longer be associated with the User, in which case it is no longer considered personal data. For example, IAB Europe anonymises personal data in order to create statistics about the usage of its Websites which IAB Europe may use to improve its Websites.
Upon expiration of the applicable retention period IAB Europe will securely destroy the personal data in accordance with applicable laws and regulations.
Data Subjects may request access, ask for rectification and for deletion of their personal data, except those which IAB Europe are legally obliged to retain, from IAB Europe’s databases by addressing an email to email@example.com, or alternatively a written request at the following address: IAB Europe, 1040 Brussels (Belgium), Rond-Point Schuman, 11. Data Subjects may request to have their personal data transferred to another controller, in a structured, commonly used and machine-readable format.
Any Data Subject may request restriction of processing of their personal data.
Where IAB Europe processes a Data Subject’s personal data on the basis of consent, the Data Subject has the right to withdraw that consent. IAB Europe will then take all necessary steps to satisfy such a request with expediency.
Any Data Subject has the right to lodge complaints regarding the processing of their personal data with a data protection authority (which can be any of the data protection authority of the EU Member State in which they live, or in which they work, or in which the alleged infringement occurred).
Subject to applicable laws, each Data Subject may also have the following additional rights regarding the processing of their personal data:
Persons under 16 years old and persons who do not have full legal capacity are not allowed to use the Websites, and must not provide their personal data to us. IAB Europe does not knowingly collect or store personal data from children under the age of 16, unless permitted by law. If IAB Europe learns that it has collected personal data from a child under age 16, it will delete that information from its database.
We display personal testimonials of satisfied members on our Websites in addition to other endorsements. With your consent we may post your testimonial along with your name, but we will always check that you are happy for us to do so first. If you wish to update or delete your testimonial, you can contact us at firstname.lastname@example.org.
10.2 Links to 3rd Party Sites
Rond-Point Robert Schuman 11
Last Updated: 16 October 2023