X
FOR DIGITAL MARKETERS
Data Collaboration Platform Playbook On-Demand Get Yours Now

Privacy Notice Supplement for GDPR Countries

Last modified on December 29, 2023 (previous versions)

This Privacy Notice Supplement for GDPR Countries supplements Lotame’s Services Privacy Notice. Lotame has responsibilities as both a controller and a processor under the GDPR. When the GDPR is applicable, Lotame will process your Personal Data in accordance with the GDPR and the agreements with our Business Customers and Data Partners from which we obtained your Personal Data. For capitalized, undefined terms used but not defined in this Notice, please see our Definitions page.

In the sections below we describe:

  1. Our Legal Basis for Processing Personal Data under the GDPR
  2. Trans-Atlantic Data Privacy Framework (DPF) Program
  3. Onward Transfers of Personal Data
  4. Government Requests for Personal Data
  5. EU Representative
  6. Data Subject Access Requests
  7. Contact Us
  8. Definitions

 

1. Our Legal Basis for Processing Personal Data under the GDPR

Lotame’s legal basis for processing your Personal Data is consent, which is given by you to our Business Customers and Data Partners and provided to Lotame via the IAB Europe’s Transparency and Consent Framework (TCF) or directly to Lotame using Lotame’s Consent API. Lotame recommends that all our Business Customers and contractually requires that all of our Data Partners implement the latest TCF version, which is TCF 2.2, for the transmission of legal bases for processing Personal Data.

Lotame participates in the TCF as a vendor and complies with its Policies and Specifications. Lotame’s identification number within the TCF is 95.

 

2. Trans-Atlantic Data Privacy Framework (DPF) Program

Lotame participates in and has certified its compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Data Bridge), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (collectively referred to as the “DPF”). The DPF was developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. companies with reliable mechanisms for Personal Data transfers to the United States from the EU/EEA, the UK (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. You can learn more about the DPF on the U.S. Department of Commerce site. You can view Lotame’s certification by visiting the DPF participant page.

Lotame commits to operate and process Personal Data in compliance with the DPF and the DPF Principles, and to refer unresolved complaints concerning our handling of Personal Data received in reliance on the DPF to ANA DPF Dispute Resolution, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit ANA DPF Dispute Resolution for more information or to file a complaint. The services of ANA DPF Dispute Resolution are provided at no cost to you.

ANA DPF Dispute Resolution logo
ANA DPF Dispute Resolution
2020 K Street NW, Suite 660
Washington, DC 20006
https://ana.net/dpf-consumers

Lotame is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation, and other U.S. authorized statutory bodies that are authorized to ensure compliance with the DPF Principles. Under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

 

3. Onward Transfers of Personal Data

Lomate may transfer your Personal Data to third party controllers and to processors acting on behalf of and under the instruction of Lotame.

When Lotame transfers your Personal Data to third party controllers, it is doing so on behalf of and at the instruction of our Business Customers. In such an event, our Business Customers are responsible for ensuring the compliance of the transfer and we contractually require our Business Customers to have in place the appropriate mechanisms to complete the transfer in compliance with the GDPR or the DPF Principles.

If Lotame transfers your Personal Data to one of its processors to perform processing tasks on behalf of and under the instruction of Lotame, Lotame takes reasonable and appropriate steps to ensure that its processors effectively processes your Personal Data in a manner consistent with Lotame’s obligations under the DPF Principles and Lotame remains generally liable for the acts of its processors that are in violation of the DPF Principles. Lotame will also take the following steps.

For transfers to U.S.-based processors, Lotame requires that its processors either:

  • subscribe to the DPF; or
  • enter into a written agreement with Lotame requiring them to (i) only process your Personal Data for limited and specified purposes consistent with our agreement with the processor, (ii) provide the same level of protection for your Personal Data as is required by the DPF Principles, and (iii) cease processing your Personal Data (or take other reasonable and appropriate remedial steps) if it or Lotame determines that it cannot provide the same level of protection for your Personal Data as is required by the DPF Principles.

For transfers to processors in non-GDPR Countries with no adequacy decision, Lotame requires that its processors:

  • enter into the applicable Standard Contractual Clauses with Lotame; or
  • enter into a written agreement with Lotame requiring them (i) only process your Personal Data for limited and specified purposes consistent with our agreement with the processor, (ii) provide the same level of protection for your Personal Data as is required by the DPF Principles, and (iii) cease processing your Personal Data (or take other reasonable and appropriate remedial steps) if it or Lotame determines that it cannot provide the same level of protection for your Personal Data as is required by the DPF Principles.

 

4. Government Requests for Personal Data

Lotame is committed to protecting the privacy of your Personal Data in accordance with Data Protection and Privacy Laws. However, national security and law enforcement needs should not come at the expense of individual privacy. Lotame requires government and private entities to follow applicable laws and statutes when requesting access to the Personal Data that we process. We contractually require our Service Providers to follow the same standards we apply to government information requests for Personal Data. Our legal team reviews requests to ensure that the requests have a valid legal basis. If they do, we comply by providing data responsive to the request. If a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate, or overly broad, we challenge or reject the request.

 

5. EU Representative

Pursuant to Article 27 of the GDPR, we have appointed European Data Protection Office (EDPO) as our GDPR Representative in the EU/EEA. You can contact EDPO regarding matters relating to the GDPR, you can contact EDPO using one of the following methods.

  • By using EDPO’s online form: https://edpo.com/gdpr-data-request/.
  • By writing to EDPO at Avene Huart Hamoir 71, 1030 Brussels, Belgium. Please ensure to include our company name (Lotame Solutions, Inc.) in any correspondence you send to our GDPR Representative.

In the UK, our representative is our UK subsidiary: Lotame Solutions International Limited, Suite 2 First Floor, 10 Temple Back, Bristol, United Kingdom, BS1 6FL.

 

6. Data Subject Access Requests

As a resident of a GDPR Country, you have the right to request certain information from Lotame or the right to request Lotame to take certain actions related to your Personal Data that Lotame is processing (“Privacy Rights”). Our Privacy Manager contains information about your Privacy Rights.

How to exercise your Privacy Rights. You can make a request to exercise your Privacy Rights by submitting your request using our Privacy Manager. You can also make a request to exercise your Privacy Rights by contacting us at privacy@lotame.com; however, due to the nature of the Personal Data that we process and the need to verify certain types of Privacy Rights requests, using email is not the best method to submit your Privacy Rights request. Using the European Interactive Digital Advertising Alliance’s Your Online Choices tool is the best method to submit your request without the need to submit additional information to Lotame.

Please note that with respect to Personal Data that we receive from our Business Customers that is used by those Business Customers for their own business or commercial purposes, Lotame will not be able to take action regarding your Privacy Rights request without you providing the name of the Business Customers for which we process such Personal Data.

Using Authorized Agents. If you want to use an authorized agent to submit your Privacy Rights request, please have the authorize agent follow the instructions below:

Using an authorized agent without power of attorney to submit a Privacy Rights request. An authorized agent without power of attorney must submit a signed permission from the individual authorizing the agent to submit the Privacy Rights request(s) on their behalf by using Lotame’s Privacy Rights Request Form.

Using an authorized agent with power of attorney to submit a Privacy Rights request. An authorized agent with a valid power of attorney, must submit the valid power of attorney executed lawfully under the appropriate law by using Lotame’s Privacy Rights Request Form.

 

7. Contact Us

You can contact us via email at privacy@lotame.com or regular mail to the address below:

Lotame Solutions, Inc.
c/o Lotame Privacy Team
8890 McGaw Road, Suite 250
Columbia, MD 21045

 

8. Definitions

the GDPR” includes (1) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and (2) the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), and Switzerland’s Federal Act of 25 September 2020 on Data Protection (“FADP”).

GDPR Countries” includes all countries in the European Union/European Economic Area that have implemented the GDPR, Switzerland, and the United Kingdom of Great Britain and Northern Ireland.