Sperber Posted May 4, 2018 Report Posted May 4, 2018 Due to the fact, that on may 25th the GDPR comes into effect, is there anything in the pipe to make Revive complying with the EU-regulation? Actual, Revive processes a whole of bunch of personal data and and the use of it will be penalized in the end through fines. I am wondering that there is not one official statement about the whole GDPR-thing, as this needs to be clearified by Eric ASAP. Else we all have to shut down our Revive-Installations or we have to face drastic fines for using it beyond may 25th. 20 days to go, plus the rest of today. Erik Geurts 1
Erik Geurts Posted May 4, 2018 Report Posted May 4, 2018 Well, on the contrary... Revive Adserver processes and stores hardly any personal data. Either way, Revive Adserver is just a piece of software. The publisher using it is ultimately responsible for how they use it. They are the 'data controller' and most likely also the 'data processor'. Nothing new here, same for any other software being used by the same publisher. GDPR is not a technical issue, it's primarily a legal issue. Also, GDPR has been in effect since May 25, 2016. Everyone should have been compliant for a long time already. The only thing new is that enforcement will start on May 25, 2018.
tobean Posted May 7, 2018 Report Posted May 7, 2018 Hi Eric, this is your answer to this really important question? The official answer? Then, this is the end of Revive in the EU! I fully agree with Mr. Sperber. Really disappointing after so many years ... tobean Sperber 1
Sperber Posted May 7, 2018 Author Report Posted May 7, 2018 (edited) On 5/4/2018 at 4:50 PM, Erik Geurts said: Well, on the contrary... Revive Adserver processes and stores hardly any personal data. At first glance it may look like this. Since the beginning of 2018 I have the dubious pleasure to work myself through the GDPR, national supplement laws, legal advices by the IT-lawfirm consulted and to implement the needed changes with the IT-desk into the websites of the company I am working for. There is light at the end of the tunnel and we will be complying with the IOC regulations end of this week. But in short: it´s a pain in the arse and there are litarally hundreds of possibilities to make a wrong turn. Now, I am using Revive on my personal websites. I am afraid, but you´re going wrong in assuming, Revive wouldn´t handle and process personal data. Of course it does, if you take a look at the GPDR and the definitions within which data is defined as personal data. It´s a long list and in summary every data Revive gets from the browser informations of a visitor, IP-adresses and of course even setting cookies prior to the consent of the visitor and reading the cookie informations back, to serve the "right" ads at a time. Not to mention geotargeting or how data of customers with access to Revive are processed. When you now say Revive wouldn´t handle and process personal data, then - for my understanding how Revive works - Revive coudn´t technically be able to deliver a single ad, as it couldn´t even detect, that there is a website visitor in the first place. On 5/4/2018 at 4:50 PM, Erik Geurts said: The publisher using it is ultimately responsible for how they use it. They are the 'data controller' and most likely also the 'data processor'. Nothing new here, same for any other software being used by the same publisher. Absolutly, I agree. That´s why I am asking, wether there are plans to make Revive complying with the GDPR or not. If not, we pubilshers with users from the EEA will be forced to shutdown Revive - and that´s the last thing we want to. But as we are all assumed to be some sort of for-profit companies, with the GPDR it only needs 2 people getting mad at you and filing a complaint with the national data protection agency and you´ll face a 25.000 EUR fine. There isn´t really a choice wether you, as a publisher or website owner, comply with the GPDR or not. I just can´t afford that bill and I doubt that any other publisher can afford this. Such a scenario may be won´t happen on may, 25th. Not even in the weeks or months to follow, if you are lucky. The point is, that, if we don´t take the plunge to work and close these risk gasps, I´ll garantee us, somebody will and we´ll find us in serious - and for many ruinous - trouble. On 5/4/2018 at 4:50 PM, Erik Geurts said: GDPR is not a technical issue, it's primarily a legal issue. Unfortunal, regarding Revive it´s both. Sure, primarily it´s a legal issue. The problem with this is, that - at the time of writing - there are no technical functions available in Revive to be able to comply with them. Just to name a few and to make the problems more visible: Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/) The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller. (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/) or the users right to be informed as stated in https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/ You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’. You must provide privacy information to individuals at the time you collect their personal data from them. You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing. and prior to all that, the lawful basis for processing as stated in https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Keep evidence of consent – who, when, how, and what you told people. Last, but not least, all this has to be documented in a way, that agencies - like your national data protection agency - can check at any given time, wether you are complying with the GPDR or not. All of this in fact is a technical issue, as we publishers would need integrated tools for that. With your given answer by now, I understand that there won´t be any - or some kind GPDR-solutions - available. May be I can inspire you to think your decision over again. Would be a pity to give up on Revive. Regards, Chris. Edited May 7, 2018 by Sperber
svsanchez Posted May 23, 2018 Report Posted May 23, 2018 Still no answer from the admins and just 2 days to go... Have you ditched Revive Ad Server?
Ian Posted May 24, 2018 Report Posted May 24, 2018 https://github.com/revive-adserver/revive-adserver/commits/gdpr
Recommended Posts