Seal Metrics / Sample DPIA

Introduction

"We", "us", or "the Client" act as "data controllers" in the deployment and use of Seal Metrics ("the Product"). ESFERA MARKETING SL acts as "data processor".

We have control over what we use the Product for, as well as its implementation and configuration in our business. Our use of the Product is covered by its Terms of Use, as well as by the Data Processing Agreement in place between us and the data processor.

This Data Protection Impact Assessment ("DPIA") covers our use of the Product, including identified foundational risks, mitigations, security provisions, and rights considerations.

Personal Data Inventory

These are the specific personal data points involved in the processing:

  • Customer data: including events and time-stamps obtained from the data subject's interaction with our public websites.
  • Traffic data: summarizing sources of traffic as provided by URL parameters attached to website links employed in the websites of origin.
  • Diagnostic data: including generic information on the performance of the Product in the rendering of resulting reports.

Customer data and traffic data pertain to website visitors, while diagnostic data is obtained from our own personnel in charge of deploying, running, or using the Product.

The data processor is the recipient of this data, sharing it only with the identified subprocessors in charge of maintaining the infrastructure the Product is running on. No international data transfers take place, and data is retained for a maximum of five years and deleted within three months after the expiration or cancellation of the underlying contract.

Lawful Basis for the Processing

We rely on legitimate interest to process this data. Our legitimate interest is the measurement and optimization of our digital assets, the interactive services offered to our customers, and the general experience provided to all users.

Personal Data Lifecycle

Event data is collected through a pixel embedded in our website's HTML header. This pixel will make a secure HTTP call to the data processor's system, in turn passing along the information subject to processing.

This data is stored in the servers of Ireland-based Noraina Ltd.

We are able to dispose of the data through an option provided in the Product's administration interface, as well as through a specific request to the data processor's customer service representatives.

Transparency: LIA

We have completed a Legitimate Interest Assessment, balancing our stated legitimate interest with the individuals fundamental rights and freedoms at stake, concluding that the risks of harm to the latter do not outweigh the former.

More specifically:

Even in the case of a hypothetical data breach, no substantial risk is posed by the storage and processing of website events, clicks, or sources of traffic in the generic and aggregated manner offered by the Product. Its capabilities have purposely been curtailed vis-a-vis more traditional web analytics tools (such as Google Analytics or Adobe Analytics) as a specific and conscientious step to embracing Privacy by Design principles.

Accuracy

We are satisfied that the data being collected is accurate to the best of our understanding, and we are certain that this will in any case depend on our own ability to properly configure its associated tags and pixels.

Minimization, Retention, and Deletion

We have done everything we can to minimize the personal data we are processing. Automated retention and disposal are enabled through Seal Metrics.

Integrity and Confidentiality

Where will the personal data be stored? In the servers provided by Noraina Ltd (Ireland).

Are there appropriate access controls to keep the personal data secure? Yes.

Have we had access to a security assessment of the data architecture in use? Yes.

Have we provided enough internal training to understand the implications of all configuration and administration options provided by the data processor? Yes.

Individual Rights

Since there is no direct link between the events being collected and each specific individual, and given that not even first party cookies are provided as a link across multiple user sessions, rights of access or rectification cannot be provided in the absence of additional data collection efforts. We do not believe that such features justify the new purpose. The same applies to the right of erasure or the restriction of data processing.

While a right to data portability does not arise from the chosen legal basis (legitimate interest), individuals may object to the processing of traffic sources and other campaign parameters by employing a web browser that automatically discards such variables, or else through the manual removal of their associated values on their initial access to our website.

Risk Assessment

We can anticipate the following risks, risk scores, responses, and mitigation measures:

Excessive collection | High Impact, Low Probability

  • Could we deploy the Product's tags and pixels in a manner that collects richer personal data properties at individual level, or even manages to append special categories of data, in direct breach of the data processor agreement in place? A lack of training and judgement on the part of IT teams, combined with insufficient supervision could result in such a scenario.
  • Response: Reduce such risk.
  • Mitigation measures: Introducing a data layer review workflow prior to publishing pixels, tags, and URL parameters aimed at meeting data collection requirements.

Personal data being shared with third parties | High Impact - Very Low Probability

  • Could external businesses and individuals gain access to personal data being collected by the Product? This would require the combination of two failures in our data governance processes: a) The collection of fully identifiable personal data; and b) The communication of such data to third parties in what would amount to a data breach.
  • Response: Reduce such risk.
  • Mitigation measures: Combine the solutions provided to avoid an excessive collection with security and access controls.

Inability of the data controller to communicate details of any personal data breach to data subjects | Low Impact - Very Low Probability

  • The nature of the data being collected results in our inability to directly communicate to specific individuals that a data breach has affected them.
  • Response: Accept such risk.
  • Existing Mitigation: We will still be able to notify the relevant Supervisory Authority should a data breach result in a risk to the fundamental rights and freedoms of individuals.

Personal data retained for longer than necessary | Medium Impact - Medium Probability

  • Is it possible that, either through a communication failure with the data processor, or a as result of its systems failing to work as described, data is stored for longer than required in our data processing agreement?
  • Response: Reduce such risk.
  • Mitigation measures: We have scheduled a quarterly reminder to the data processor's customer service representative to guarantee internal follow-up and verification that the agreed data retention policies are being enforced.