fraudLog GDPR Data Processing Addendum
The General Data Protection Regulation Data Processing Addendum ("DPA") is a functional part of the following documents:
- Terms of Service - https://www.fraudlog.com/tos.htm
In the scope of this document, EU Data Protection Legislation concludes the following European Directives and Regulations
a. Directive 95/46/EC adopted in 1995
b. Directive 2009/136/EC (amending 2002/58/EC directive) as of 25 November 2009
c. General Data Protection Regulation (Regulation (EU) 2016/279)) as of 27 April 2016 repealing Directive 95/46/EC
When a fraudLog's Customer enters into this DPA is not a party to a service order or the master agreement as provided by data processor TOS, this DPA shall be rendered as invalid and is not legally binding. fraudLog's Customer (a.k.a., data controller) shall with Data Protection Legislation in respect comply at all times in relation to all personal data provided to fraudLog pursuant to the Agreement. The data processing will be executed until the agreement term of the Customer's executive order for the SaaS services expires or is prematurely terminated due to a violation of TOS.
Document definitions and terminology
Data controller (a.k.a., Customer) - an individual or a company utilizing fraudLog data processor service
Data processor - fraudLog, SaaS (a.k.a., software as a data processor service)
Data subject (a.k.a., natural person) - an individual whose sensitive data is acquired and processed by a data controller and a data processor
Personal data / sensitive data - information related to an identified or identifiable natural person "data subject". An identifiable natural person is one who can be identified, in particular by reference such as a name, an ID number, precise location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person The GDPR regulation does not apply to data that "does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable."
Pseudonymous data (as defined by GDPR) - pseudonymization is a data administration procedure where personally identifiable information fields within a data record are replaced by artificial identifiers, or pseudonyms to mask the original record and to prevent linkage of personal data back to the data subject. Data that underwent pseudonymization can only be exempt from GDPR regulation if it cannot be attributed back to a natural person and re-identified by the use of additional information.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) legislation replaces Data Protection 95/46/EC Directive and impacts all businesses and/or individuals worldwide that gather personal data of European Union residents while providing them with full control over their sensitive personal data. It also takes steps to ensure that US companies provide adequate protection in data-transferring processes.
GDPR equally affects both data controllers (e.g. a company) and data processors (e.g. cloud-distributed software vendor).
GDPR and fraudLog Customer (a.k.a. Data Controller)
As a data processor, fraudLog has adjusted its data processing policy and SaaS (software as a service) implementation to allow data controllers to comply with GDPR directives by providing the necessary data processor mechanisms and GDPR tools. fraudLog is GDPR compliant only if you configure it to be compliant and ensure that no personally identifiable information is transmitted or passed to its processing facilities via API, URL variables, or other methods of data transmission.
The data processor accepts the data from the data controller that collects the data from data subjects (i.e., a customer) and therefore functions upon a set of instructions from the data controller. As a fraudLog user (a.k.a. data controller), that utilizes fraudLog (a.k.a. data processor), services to gather a data subject's (a.k.a., website's visitor) browsing activity, you must adhere to the following GDPR key points:
- Data acquisition consent. A website visitor must be provided with information as to what type of data is collected and processed pertaining individual's web browsing activity. If the sensitive data collected by the data controller utilizing fraudLog as a data processor that allows for linking the acquired data back to the individual, as a data controller you must acquire explicit consent from the individual to
fraudLog's data processing services provide a variety of tools for different scenarios of utilization with options to configure and collect limited sensitive and/or anonymous data about the website visitors. If any of the utilized by data processor visitor tracking options enable you as a data controller to collect sensitive data per GDPR definitions, you must acquire explicit visitor consent by the following GDPR proposed online submission mechanisms:
a. Allow the visitors to select technical settings for data collection services
b. Allow submitting a consent form that requires a ticking box or a signature line
c. Acquire another documented statement or conduct clarifying the indication of consent.
- Right of access by the data subject (Art. 15 GDPR)
The data subject shall have the right to obtain a confirmation from the controller as to whether or not personal data concerning him or her are being processed, and if that is the case, being able to gain access to the personal data
- Right to erasure ('right to be forgotten', Art. 17 GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data if one of the Art., 17 GDPR grounds is applicable.
- Notifications of a breach event
The data controller must notify the data subjects within 72 hours of any personal data breach if the data processed by fraudLog in conjunction with the data provided by the data controller can be linked back to the data subject.
- Data storage compliance
The Data Controller must not store personal data subject information beyond the scope of its usage. As a Data Controller, you may not upload to fraudLog that would allow fraudLog to identify an individual. This data includes but is not limited to name, address, phone number, email address, precise GEO positioning coordinates, and zip codes. Such data should be removed from referring and landing page URLs by the Data Controller before it's logged by fraudLog.
GDPR and fraudLog (as Data processor)
As a data processor in respect to all data processed while providing SaaS application services, fraudLog shall or may:
- Process personal data only in accordance with instructions and directives from the data controller (as specified by this DPA and TOS). If fraudLog is configured by the data controller to process the personal data for any other purpose then as defined by applicable law, fraudLog reserves the right to suspend or terminate its service as provided by the customer
- Notify Customer if the instructions for processing the personal data may violate the Data Protection Legislation prior to initiation of the service
- Maintain specific security measures to the best of its ability to protect the data against unauthorized or unlawful processing, access, destruction, alteration, or disclosure.
- Maintain up-to-date provisional security and policy training of all employees that are granted access to personal data.
- Assist Customer at a reasonable cost and timeframe in relation to requests for rectification, access, and erasure of personal data.
- Upon the end of the service term and per customer request, destroy all personal data associated with the particular Customer account.
- Notify the Customer of any accidental, unauthorized, or unlawful processing, access, or loss of personal data without undue delay and provide details of an "Incident".
fraudLog's role in data acquisition and processing
fraudLog's role as a data processor is to comply with the Data Protection Legislation and Customer instructions that are subject to the GDPR. As a data controller utilizing the data processor's capabilities, a Customer has the capability to adjust the scope of the service and the type and the amount of personal data to be captured, which reflects on the purpose of data processor service utilization.
The following is the default set of personal data variables that are available to capture through data processor services and as instructed by Customer:
- Landing page with URL embedded variables
- Referring page with URL embedded variables
- Referring to search engine and search result keywords
- Referring domain (excluding variables)
- Referring campaign URL with URL embedded UTM variables
User agent data:
- Browser type and version
- OS type and version
- Device type
- Screen width and height
GEO Location data:
All geo-location data is available in the associated server-side hosted IP location database. The location coordinates are not those of the actual visitor and their individual IPs, but rather an indication of a geolocation of an IP address block range, which points to a routed ISP distribution origin that a visitor's ISP utilizes for assignment to an IPv4 and IPv6 block ranges.
- Date and time of most recent visit
- Date and time of the first visit
- Number and frequency of visits
- Pages visited and duration of time spent on each page
- IP address
Visitor ISP data:
- ISP name
- Organization name
- Network's hostname
The data collected and provided by fraudLog data processing services does not allow by default and is provided for linking back to an actual natural person. An exception to the above condition would be additional data keys which could be obtained via the following:
- A legal police warrant and direct assistance of the visitor's Internet Service Provider
- A direct communication with the visitor that would allow linking a captured IP or a set of referring or landing URL variables
- An online form (e.g., a product order form) that forwards an instruction to a data processor to capture the embedded URL variables that contain personal identification information.
Primary changes to end-user accounts to assist GDPR compliant conversion
- An array of data pseudonymization (a.k.a., data anonymization) tools implemented in data controller account to allow for full compliance with GDPR requirements, which includes but is not limited to:
- IP address anonymization - last octet of IPv4 IP addresses and the last 80 bits of IPv6 addresses are set to zeros
- Computer ID anonymization - last two characters of computer ID will be set to 0
- Disablement of cookies that are designed to help to track the same visitor across all projects
- Disablement of cross-domain IP address tracking contacts book, or if opted-in to use, an agreement to not use any personal data within the contacts book but rather factious names in place of personal identification beacons
- Disablement of website widgets that display the full individual visitor IP address and other personal data
- Complete disablement of tracking of any EU residents as identified by the system
- Public stats access URLs will require a user authentication if more than general non-personally-identifying stats are requested to be accessed
- Implementation of tools necessary to manage the captured data, including exporting the raw logs data in common formats for data transfer as instructed by Customer
- Implementation of tools required to selectively delete the records of specific visitors as requested by a natural person
- Activation of compliance with browser's "Do Not Track" headers
- Implementation of an opt-out page for visitors to completely or partially disable tracking of their specific browsers if the Customer decides to collect personal data such as IP addresses instead of anonymous website statistics data
- Implementation of global SSL data access points
* fraudLog reserves the rights to add to, modify and discontinue any of the above end-user account changes at any time to in order to maintain GDPR compliance, which may include but is not limited to the reinforcement of applicable function usage to avoid non-compliance of responsible parties.