Privacy Policy | Dentsu London Limited (dentsu)

Dentsu Spartan Privacy Notice

Dentsu UK Limited (“our”, “us”, “we”), whose registered office is at 10 Triton Street, Regent’s Place, London, NW1 3BF, is part of the dentsu group (“dentsu”). We are a global digital and media advertising agency. Our core business is to help our clients improve how they advertise and market, whether by print, post, email or on websites. Information provided by people like you is therefore important to our business.

Spartan Technology

Dentsu’s advertising technology, Spartan, helps our clients (“Advertisers”, “Clients”) display digital or online ads for their goods and services. To do this, Advertisers will contract with us to use our Spartan technology to deliver their ads on their own website or, third-party websites. We refer to those third parties who own third party websites and who sell advertisement space to Advertisers as a “Publisher”.

We engage with Publishers using Supply Side Platforms (a software tool that allows Publishers to sell their advertising space to Advertisers in an automated and efficient manner) (“SSPs”). As part of delivering our services to Advertisers, personal data may be collected from you when you visit an Advertiser’s website using our Spartan technology or, via a Publisher’s SSP, when you visit a Publisher’s website.

About this Notice

The purpose of this privacy notice (“Notice”) is to inform individuals (“you”) about the types of personal information we collect from you and third parties, where that personal data comes from, how we use your personal data, how we share your personal data, the legal basis we rely on for processing your personal data, how we protect your personal data, how long we keep your personal data and what your rights are in relation to your personal data.

Dentsu is responsible, as controller, in respect of certain personal data described in this Notice, for example, the personal data we collect when you visit a Publisher’s website. Dentsu may also act as processor in respect of certain personal data described in this Notice, for example, when processing personal data on behalf of Advertisers using our Spartan technology.

This Notice does not cover:

our website activities (please see here for our Website Privacy Notice);
other data processing activities of our affiliates and/or other dentsu products;
the data processing of our clients.

1. Types of personal data we may collect

When you visit a website, we collect certain information about your visit. For example, SSPs engaged by a Publisher of that website sends us a request to show you an ad. We collect certain information about ad inventory and you and your device to help inform our Advertiser’s decision to serve an ad. We also collect information through our Advertiser’s websites that use our Spartan technology.

· User ID: we may collect your user ID, a unique identifier assigned to you.

· Device ID: we may collect your device’s unique identifier, known as a device ID.

· Advertisement ID: we may collect your device’s advertisement ID, which is a unique identifier assigned to your device for advertising purposes.

· Internet Protocol (IP) Address: we may collect your IP address which is a numerical identifier assigned to your device by your internet service provider.

· Non-Specific Location Data: we may collect non-specific geographic location data as derived from the collection of your IP address, for example, the city you are located in.

· Privacy Choices: we will process users’ signals or part of it as defined by the policies or specifications sent by a consent management platform, to decide on the extent of processing we may perform on your personal data to enable our ad logic and performance tracking, and also communicate it across to other vendors engaged in services for our client so they may do the same. Those choices include but are not limited to, information about the transparency, consent, and/or objection status of a vendor and/or purpose, the opt-in status of a special feature, and Publisher restriction.

· Device ID: each time you visit a website of one of our Publishers / SSPs or clients, we receive a request which includes certain device information, including your browser’s User Agent String (a text identifier that a browser sends to each website you visit) and/or information including your device’s brand name, operating system name and version, browser name and version.

2. Types of data we collect from third parties

We also obtain your consent string data from Publisher’s or, Advertiser’s that are using our Spartan technology.

· Consent String Data: before you see an ad on a website and/or when you visit a website for the first time, the Publisher and/or Advertiser obtains your consent for our processing activities via their consent management platform. If you provide your consent or objection to that Publisher and/or Advertiser, we will receive your consent string which shall provide us with your preferences in respect of our processing activities.

3. How we use your personal data

In the table below we have set out further information about the purposes for which we use your personal data and the legal basis we rely on for its use.

Categories of personal data involved	Processing purpose	Legal basis
User ID	To prevent you from seeing the same ad multiple times and to target you with ads relevant to your interests. This may also be used to record how many users have clicked through an ad and reached a certain point on an Advertiser's website.	Consent (based on the consent you provide to Publisher’s and/or Advertisers using our Spartan technology via their consent management platform)
Advertisement ID	To track your interactions with ads you encounter, including clicks and views.	Consent (as above)
IP Address Device ID	To check and log your approximate region of origin and to check against a database of active fraudulent bots. We also use your IP address to determine whether you are based in the EEA so that we can ensure that your personal data remains in the EEA.	Legitimate interests It is in our legitimate interests to process this information for these purposes to ensure that Advertisers and Publishers are not being defrauded or paying for ads that have not been seen by a real person. It is also in our and your legitimate interest to keep your data within the EEA so that we can ensure that your data is processed in compliance with applicable data privacy laws.
Non-Specific Location Data	For ad targeting purposes.	Legitimate interests It is in our legitimate interests to show some ads in some general geographical locations but not others, for example, so that we can deliver location-based content and targeted advertisements relevant to your region.
Non-Specific Device Information	For ad targeting purposes.	Legitimate interests It is in our legitimate interests to show different ad formats to different device types to better fit their sizes and characteristics, as well as for troubleshooting potential issues happening on specific device types.
Consent String Data	To determine the extent to which we are permitted to process your personal data, including the types of ads we can select and serve to you based on the consent preferences you provide to a Publisher and/or Advertiser.	Legitimate interests It is in our legitimate interests to use Consent String Data so that we can understand your consent preferences and ensure compliance with data protection laws.

4. Special category data and children’s data

We do not knowingly process any special category data. We do not knowingly process the personal data of individuals under the age of 16. If you have any concerns about your child’s privacy in relation to our services, or if you believe that your child may have provided personal data via our Spartan technology without appropriate consent, please contact us at dpo@dentsu.com.

5. Sharing your personal data

We share anonymous and aggregated reports, using server log data, about the advertising campaigns that we have delivered with the relevant Advertiser and with SSPs. We share these reports to demonstrate to Advertisers that we have delivered their advertisements in accordance with our contract with them. We share these reports with SSPs should there be a dispute about payments and charges of advertisement slots. The reports that we provide will not enable either the Advertiser or the SSPs to identify you or communicate with you in future for any purpose.

We also share your consent preferences with other media and advertising partners for the purposes of third-party ad verification and attribution (as instructed by our clients to ensure the results from our reports are accurate and leading to the client’s desired business outcomes) and allowing them to establish a legal basis for processing your personal data.

We will share your personal data if we think we have to in order to comply with the law or to protect ourselves, our clients and others. We may share any or all categories of personal data to respond to a court order or subpoena. We may also share this personal data if a government agency or investigatory body requests it. We might share your personal data in order to enforce our agreements and to protect our rights and/or the rights of others. We might share your personal data when we are investigating potential fraud.

We may share your personal data as part of a transaction, financing, with a successor to all or part of our business, or for other business needs. For example, if we sell or merge any of our businesses (including any of our affiliates, divisions, and business units) or assets, we may disclose your personal data as a part of that transaction, including to the prospective buyer or partner, lender or bank, as the case may be. We may also share your personal data if there is a similar change to our corporate structure. We may also share your information with others as part of certain due diligence processes.

We may share your personal data within our group of companies and with third parties for the purpose of management and administration of our business, including sharing information to those third parties that provide services to us. For example, we may share your personal data with our software technology partners for the purposes of facilitating the delivery of the Spartan technology.

We may share personal data for other reasons we may describe to you from time to time or as permitted by law.

6. How long we keep your personal data

We will keep your personal data for as long as is necessary for the purposes described in this Notice, and in accordance with our legal obligations. After this time, your personal data will be securely and automatically deleted.

7. How we protect your personal data

Our safeguards include robust systems and processes designed to ensure that we collect only the minimum personal data necessary to pursue the purposes for which we process your personal data, and that only those who need to view your personal data can see it.

Under dentsu’s Chief Information Security Officer, there is a group-wide security function tasked with understanding security threats. Policies have been implemented to help keep your personal data secure. These policies are aligned to applicable regulations and industry standards including ISO27001 and NIST and are applicable to all parts of dentsu.

8. Transferring your personal data overseas

Your personal data is kept on servers in servers located within the EEA. We may transfer your personal data to countries where dentsu group companies or clients are located so that they may review and use the personal data for the purposes described in this Notice. When we transfer data, we take appropriate steps to ensure compliance with UK and EU data protection law. These steps might include, for example, transferring the personal data to a country which the UK Information Commissioner or the European Commission (as appropriate) has decided provides adequate protection for personal data, or to a company which has signed standard contractual clauses, or an international data transfer agreement approved by the European Commission/UK Information Commissioner respectively.

9. Your rights in relation to your personal data

You have rights (with some exceptions and restrictions) to:

object to our processing of your personal data, including profiling. You can object, on grounds relating to your particular situation, at any time. In which case, we shall stop processing the data that your objection relates to, unless we can show compelling legitimate grounds to continue that processing;
access your personal data. If you make this kind of request and we hold personal data about you, we are required to provide you with information on it, including a description and copy of the personal data and why we are processing it;
request that we provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format;
request erasure of your personal data in certain circumstances;
request correction or updating of the personal data that we hold about you and that is inaccurate;
request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place;

· complain to your local data protection authority about our collection or use of your personal data. For example, in the UK, the local data protection authority is the UK Information Commissioner's Office.

To exercise your rights, you can directly contact the organisation with whom you shared your personal data – in this case you should refer to their respective privacy notices. Alternatively, you can contact us directly using the contact details set out below. If you choose to exercise the rights described above, we may ask you to provide additional information so that we can satisfy ourselves of your identity before we take further action.

10. How to contact us

If you have any questions about this Notice or would like to exercise any of the rights mentioned above, you can contact our Data Protection Officer in any of the following ways:

Address: Data Protection Officer, Dentsu UK Limited, 10 Triton Street, Regent’s Place, London, NW1 3BF

Telephone: (+44) (0) 207 070 7700

Email: dpo@dentsu.com

11. IAB Europe

Dentsu UK Limited is a vendor (Vendor ID: 122) on the IAB Transparency and Consent Framework (“TCF”). TCF offers transparency to users about which vendors are operating as a first party (such as a Publisher), what purposes they process personal data for, and a clear mechanism for opting out of the vendor's purposes. For more information please visit: https://iabeurope.eu/transparency-consent-framework/

12. Cookies

What are “cookies”?

Cookies are small packets of information stored by your browser when you visit certain websites. Cookies are generally used by websites to improve your user experience by enabling that site to ‘remember’ you, either strictly for the duration of your visit (using a “Session” cookie which is erased when you close your browser) or for repeat visits (using a “Permanent” cookie). Cookies set by us are called first-party cookies. We also use third party cookies which are cookies from a domain different to the domain of the website you are visiting.

How to manage third party cookies

If you do not want to consent to third party cookies, it is possible to change your browser settings and delete existing cookies from your browser. Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Find out how to manage cookies on popular browsers:

Withdrawing your consent

If you do not provide your consent for the use of dentsu’s cookies used in Spartan technology, it may result in certain limitations to your ad experience. Specifically, without the use of cookies, we may not be able to tailor advertisements to your preferences or interests effectively. Cookies also help us limit the number of times you see the same ad, ensuring a diverse and engaging ad experience.

If you do consent and later wish to withdraw your consent to the use of cookies at any time, please click here.

Our Spartan technology uses the following types of cookies:

Targeting Cookies

These cookies may be set by our platform based on a visit to one of our Advertiser’s sites, or one of the Publisher sites we place advertising on in their behalf. They may be used by us to build a list of users who have interacted with a specific Advertisers page or have seen/interacted with a specific advertisement on a Publisher page, to then show you a specific ad as part of a sequence. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookie Subgroup	Cookies	Cookies used	Lifespan
metadsp.co.uk	ruiid, ruuid_lu, c,	Third Party	364 Days

Performance Cookies

These cookies allow us to accurately track specific events that happen after you see one of our Client’s ads. They are set when you view the Client’s ad and are checked when you visit a specific section of our Client’s page (under their control) to be counted in an aggregated report. This helps our Client’s optimise their spends towards the circumstances that provide them the best return for their advertising spends, based on specific events or information you are exposed to, either on the site where you saw the ad or on that Client’s site (but not everywhere in the web). The cookies do not contain any personal information, nor do they allow us to track your browsing data, patterns or behaviour. If you do not allow these cookies we will not be able to show you ads for campaigns where our Clients require it.

Cookie Subgroup	Cookies	Cookies used	Lifespan
metadsp.co.uk	landing, pcc, pvc	Third Party	364 Days

Strictly Necessary Cookies

These cookies are necessary for a website to function and cannot be switched off in our systems. They are only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personal data.

Cookie Subgroup	Cookies	Cookies used	Lifespan
metadsp.co.uk	ruiid=opt-out	First Party	365 Days

SUPPLEMENTARY INFORMATION

We may occasionally update this Notice from time to time to reflect changes in our practices, technologies or legal requirements. We encourage you to review this Notice periodically to stay informed about how we are processing your personal data.

In this Supplementary Information section, we explain some of the terminology used in the Notice.

"controller" – the person or company that controls the purposes and means of processing personal data.
"EEA” – the European Economic Area, which comprises the current countries in the European Union plus Iceland, Liechtenstein and Norway.
"personal data" – any information that relates to you (or from which you can be identified).
"processing" – doing anything with personal data. For example, collecting it, storing it, disclosing it and deleting it.
“processor” – a person or company that processes personal data on behalf of the controller.