December 21, 2017 | 4 Minute Read
Share this

GDPR Sensitive and Non-Sensitive Data: A Distinction with a Difference

Updated April 24th, 2018.

This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.

From the Criteo Privacy Team: 

At Criteo, we’ve long seen consistency, certainty, and compliance around privacy and data protection as a win-win for businesses and consumers alike. With the General Data Protection Regulations (GDPR) coming into effect on May 25 2018, we are thrilled that data compliance will finally be streamlined across the EU. Criteo is ready to tackle the GDPR challenge/topic and expects limited impact of the new regulation, if any, on our clients’ and publisher partners’ ability to work with Criteo.

(Learn more: Criteo is Ready for GDPR Compliance Journey)

The GDPR aims to modernize the EU legal system regarding data, strengthen individuals’ rights, and improve the clarity and coherence of the EU rules.

We know that our clients, publisher partners and investors have a lot of questions around the implications of the GDPR legislation, especially when it comes to the different types of data collection.

The GDPR establishes a clear distinction between sensitive personal data and non-sensitive personal data. Since Criteo only collects non-sensitive personal data in the form of cookies, we are very familiar with those distinctions.

Here is how all this data is categorized by the GDPR and the common questions that businesses need to know about when it comes to data management:

Firstly, what is “Personal Data” as defined by the GDPR?

Let’s start with how the new laws look at “personal data.” Personal data is anything that contains:

  • Directly identifying information such as a person’s name, surname, phone numbers, etc.
  • Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviors (for instance to serve the right ad to the right user at the right moment).

The GDPR establishes a clear distinction between directly identifying information and pseudonymous data. The GDPR encourages the use of pseudonymous information and expressly provides that “the application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations”[1]. Criteo only collects pseudonymous technical identifiers linked to browsing events.

To learn how to really adapt to GDPR, join our next webinar on 6/30, “Surviving a Post-GDPR World”

 

What is “sensitive data” as defined by GDPR?

Sensitive data is any data that reveals:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or a natural person’s sex life and/or sexual orientation

By nature, the data that Criteo collects and processes for its clients and publisher partners does not qualify as sensitive data as defined by the GDPR. On our side, Criteo only collects pseudonymous technical identifiers linked to browsing events.

What type of personal, non-sensitive data does Criteo collect?

When working with Criteo, our clients and publisher partners need only access to pseudonymous data that does not allow the direct identification of users. This pseudonymous data includes:

  • Cookie IDs
  • Hashed email addresses
  • Mobile Advertising IDs
  • Any other technical identifiers that allow Criteo to single out individual behavior without directly identifying the individuals

Legitimate Interest and Unambiguous Consent

Of the six bases for data collection and data processing in Europe, we believe for businesses in the marketing or digital marketing industry or for those who collect data for the purposes of marketing, the two applicable bases are:  (1) unambiguous consent of the individual and (2) legitimate interest of the data controller.

First, the legitimate interest of the data controller – our clients and publishers – may include direct marketing purposes. And second, unambiguous user consent, including a user continuing to browse a website, can be a basis for the collection and processing of non-sensitive personal data. To learn more, click on the link below.

(Learn more: GDPR Compliance: Cookies Are Personal Data – A Legal Bases For Their Collection and Use)

Our strong privacy-by-design practices provide a solid foundation to immediately address all GDPR requirements. While our clients and publisher partners are responsible for providing comprehensive information to their users, our services involve a shared responsibility across our network. Criteo’s long-standing expertise in data protection and user privacy highlights that, with proper information and control tools, we can effectively prepare our clients and publisher partners to tackle this GDPR challenge.

Learn about our GDPR-compliant products.

[1] General Data Protection Regulation – Whereas (28)