Real Time Digital Ad Auditing for All - Controls

The company encrypts PII in transit.

The company implements technical controls to ensure data transmitted to third parties reaches its destination.

The company's datastores housing sensitive customer data are encrypted at rest.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company restricts privileged access to the production network to authorized users with a business need.

The company restricts access to migrate changes to production to authorized personnel.

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

The company uses firewalls and configures them to prevent unauthorized access.

The company's network is segmented to prevent unauthorized access to customer data.

The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

The company maintains a formal inventory of production system assets.

The company documents all countries where PII is stored.

The company specifies and documents the countries and international organizations where PII is transferred.

The company documents transfers of PII to or from third parties and ensures cooperation with the requests from data subjects.

The company creates and maintains a PII data inventory.

For controllers:

• the name and contact details of the controller
• the purpose behind the processing of data
• a description of the categories of data that will be processed
• who will receive the data including data
• documentation of suitable safeguards for data transfers to a third country or an international organization
• the retention period of the different categories of data
• a general description of the technical and organizational security measures

For processors:

• the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer
• the categories of processing carried out on behalf of each controller
• documentation of suitable safeguards for data transfers to a third country or an international organization
• a general description of the technical and organizational security measures

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

The company requires passwords for in-scope system components to be configured according to the company's policy.

The company returns, transfers, disposes PII in accordance to its policies and commitments. (SCC 8.5)

The company documents the lawful basis for PII processing.

The company limits collection of PII to the minimum that is necessary for it's purposes.

The company ensures that it only collects and processes data which it needs for its purposes.

The company deletes or de-identifies when no longer needed.

The company does not retain PII longer than necessary for its purposes.

The company documents policies, procedures and mechanism for disposal of PII.

The company shall appoint an EU based representative.

If the company is operating in more than one EU state then identify a lead Data Protection Authority.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Provide evidence that the company has made the required contribution to the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) DPF arbitral fund as identified in Annex I of the DPF Principles. 

Guidance: Visit the ICDR-AAA’s website at https://go.adr.org/dpf-annexi-fund.html to make the required contribution.

Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their EU-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles.

Where the organization has chosen self-assessment, such verification must verify that: 

i. its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). 

ii. individuals are informed of any in-house arrangements for handling complaints and of the independent recourse mechanism(s) through which they may pursue complaints;

iii. that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it;

iv. that it has in place internal procedures for periodically conducting objective reviews of compliance with the above.

An organization must verify such attestations and assertions either through self-assessment or outside compliance reviews as follows:

i. A statement verifying that the self-assessment has been completed must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance.

OR

ii. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance.

Designate an internal contact for questions or compliance related to the DPF and communicate that information in the company's Privacy Notice.

Implement an Internal Privacy Policy which governs the use of personal information for employees, applicants, and contractors.

Guidance: This will need to be submitted to the ITA if your DPF certification covers HR data.

The company has a process to ensure that PII is complete, accurate, and up-to-date.

If processing meets one of these conditions then appoint a Data Protection Officer

• you are a public authority or body,
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offenses

The company's Privacy Notice (i.e. Privacy Policy) must include the following elements to comply with DPF requirements:

i. its participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and provide

ii. a link to, or the web address for, the Data Privacy Framework List

iii. the types of personal data collected and, where applicable, the U.S. entities or U.S. subsidiaries of the organization also adhering to the DPF Principles

iv. its commitment to subject to the DPF Principles all personal data received from the European Union and, as applicable the United Kingdom (and Gibraltar), and/or Switzerland in reliance on the relevant part(s) of the DPF program

v. the purposes for which it collects and uses personal information

vi. how to contact the organization with any inquiries or complaints, including any relevant establishment in the European Union and, as applicable, the United Kingdom, and/or Switzerland that can respond to such inquiries or complaints

vii. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so

viii. the right of individuals to access their personal data

ix. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data

x. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is:

(1) the panel established by the EU DPAs and, as applicable, the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or the Swiss Federal Data Protection and Information Commissioner (FDPIC),

(2) an alternative dispute resolution provider based in the European Union and, as applicable, the United Kingdom, and/or Switzerland, or

(3) an alternative dispute resolution provider based in the United States

xi. that the company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the U.S. Department of Transportation or any other U.S. authorized statutory body

xii. the possibility, under certain conditions, for the individual to invoke binding arbitration

xiii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements

xiv. the company's liability in cases of onward transfers to third parties.

Guidance: For item x. Independent Dispute Resolution Body, the company only needs to designate one of these bodies and for most US-based companies (3) is the simplest to establish.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

The company establish policies and procedures to respond to data breaches including notification procedures.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company performs a privacy impact assessment for processing or changes to processing, which represent a high risk to the rights and freedoms of data subjects.

The company's Data Processing Agreements (DPA) with the customers (controllers) commit to assisting them with privacy obligations.

The company's Master Services Agreement (MSA) informs the customer of the legal basis for transfers between jurisdictions and allows customers to object to changes or terminate service.

The company communicates the changes to sub-processors to the customer in writing with the opportunity to object.

The company implements a written contract with all PII processors, which includes their requirements.

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it annually.

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Defined process and procedure for data subjects to access and correct their PII.

Guidance: This is typically the data subject access request process.

Define and document procedures for handling Data Subject Access Requests (DSAR).

The company identifies and documents its legal basis for transferring between jurisdictions.

The company determines any need for pseudonymization and implement it as needed.

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

The company encrypts portable and removable media devices when used.

The company only processes PII for the purposes expressed in contract (SCCs 8.1 and 8.2).

The company does not use the PII collected for services for marketing and advertising without consent.

Consent for marketing is not required for using services.

The company informs the customer if processing instructions are illegal. (SCC 8.1(b))

The company provides their customer with information sufficient for them to demonstrate their privacy compliance. (SCC 8.9(b))

The company maintains necessary privacy records.

The company communicates legally binding disclosures for PII to the customer before disclosure where possible. (SCC 15.1-2)

The company rejects any non-binding PII disclosures. (SCC 15.2)

The company discloses all PII sub processors to the customer.

The company documents the purpose for which PII is processed.

The company determines and documents when and how consent was obtained.

The company determines and documents requirements for notice to data subjects and the timing of the notice.

The company provides data subjects clear and easily accessible information identifying the controller and describing the PII processing.

The company provides a mechanism to modify or withdraw consent.

Guidance: This is typically the data subject access request process.

The company provides a mechanism for data subjects to object to processing.

Guidance: This is typically the data subject access request process.

Establish a process, policies and procedures for notifying sub processors of corrections, deletions or withdrawals of PII.

Establish a process of providing a copy of PII to data subjects upon verified request.

Identify and address obligations to data subjects resulting from decisions made from automated processing (if applicable).

The company should record disclosure of PII to third parties including what has been disclosed and what time.

If processing includes:

• systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
• systematic monitoring of a publicly accessible area on a large scale.

The company shall make readily available an independent recourse mechanism by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual.

Guidande: Register with JAMSADR or a similar service. https://www.jamsadr.com/dpf-registration-page

Once the company has verified that it has the information needed to self-certify (https://www.dataprivacyframework.gov/s/article/Self-Certification-Information-dpf), it can submit the information to the International Trade Administration (ITA) via the "Self-Certify" page on the https://www.dataprivacyframework.gov/ website.