Last version updated on July 16, 2020
Targetspot is a digital audio advertising platform.
Modern information and communication technologies play a fundamental role in the activities of an organization like Targetspot.
The Targetspot Services include all services supplied by Targetspot and its WebSite, in particular: digital audio advertising, enhancement and provision of multimedia content, communication between users, use of its technical tools (Passport Technologies, notably Campaign Manager: passport.targetspot.com) and more generally, any other service proposed by Targetspot. The Targetspot Services include also communications intended for users, particularly administrative messages, newsletters pertaining to the Targetspot Services and forums/blogs.
1. Identiﬁcation of the WebSite and its operator
2. Which type of Personal Data does Targetspot collects – How Targetspot uses Your Personal Data and on what legal basis?
A “Personal Data” is any information relating to an identified or identifiable natural person.
2.1 – Personal data of the User processed by Targetspot
By entering into an agreement with Targetspot, the Publisher acknowledges that Targetspot may process personal data relating to the Publisher. In such case, Targetspot will act as the data controller.
2.1.1 Categories of personal data processed
The personal data processed by Targetspot are collected through the creation of a Publisher account through the use of one of its technical tools (such as Passport Technologies). The following personal data may thus be processed by Targetspot:
- first and last names;
- email address;
- phone number;
- address and country;
- credit card information;
- VAT number, tax ID and SSN.
The following additional categories of personal data may also be processed: operated Streams.
2.1.2 Use of the personal data
The personal data may be processed for the purposes of :
- creating, identifying, verifying and managing the Publisher’s subscriptions;
- setting the preferred language of the Publisher’s account;
- controlling the Publisher’s access rights;
- contacting and answering the Publisher’s queries;
- correcting assignments of access and functions;
- identifying use/misuse of Targetspot Services;
- encoding of Publisher’s advertising campaigns;
- exporting of campaign reports by the Publisher;
- accessing to the inventory by the Publisher;
- creating of programmatic deals directly in Passport by the Publisher;
- access and download of invoices by Publisher directly from the Passport application at the end of the month;
- more generally, for the purpose of providing Targetspot Services and executing the agreement existing between Publisher and Targetspot.
- Targetspot may also collect and process Personal Data to keep You posted on Targetspot latest product or services releases, software updates and upcoming events by email (direct marketing).
2.1.3 Legal basis for the processing
TargetSpot relies on the legitimate interests of Targetspot to execute the agreement existing between the Publisher and Targetspot in order to process the Publisher’s personal data.
Targetspot further relies on the Publisher’s consent to send direct marketing communications, unless Targetspot has a legal right to do so. Indeed, Targetspot may send You a hard-copy newsletter at the postal address You provided Targetspot with.
The legal basis for this processing is the legitimate interests of Targetspot, namely to market the Targetspot Services to its users. You may always unsubscribe from those newsletters by following the guidelines included in those newsletters.
If You communicate Your phone number to Targetspot, this means that You accept to receive a phone call from Targetspot or from one of our affiliated partners. If You do not wish to receive such phone calls any longer, contact Targetspot at [email protected].
Targetspot also uses Your Personal Data to create, develop, operate, deliver, and improve its products, services, content as well as for other internal purposes such as auditing, data analysis, data reporting, payments and research. The legal basis for this processing is the legitimate interests of Targetspot, namely to improve its products, services and content in order to serve its customers in the most appropriate way.
Targetspot may use Your Personal Data to verify Your identity for accounting or reporting purposes or if required for the provision of the Targetspot Services. The legal basis for this processing is the necessity to execute the agreement between You and Targetspot for the provision of the Targetspot Services as well as to comply with Targetspot’s legal obligations.
Targetspot may use Your Personal Data to send important notices, such as communications about subscriptions and changes to Targetspot’s terms and conditions or policies. The legal basis for this processing is the necessity to execute the agreement between You and Targetspot for the provision of the Targetspot Services as well as to comply with Targetspot’s legal obligations.
2.2 – Processing of personal data by Targetspot on behalf of the Publisher
In the performance of Targetspot Services, Targetspot may process, on behalf of the Publishers, personal data relating to the listeners of the Publisher’s Streams or end-users of their radio station-services. In that case, Targetspot acts as a processor on behalf of the Publishers (acting as a data controller) and Appendix 1 (which includes the necessary provisions to comply with Article 28 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)) will apply.
The Publisher warrants that the Personal Data (as defined in Appendix 1) were collected in compliance with the applicable Data Protection Law (as defined in Appendix 1) and that it is entitled under the Data Protection Law to permit Targetspot to process the Personal Data. This includes, without limitation, Publisher’s compliance with its obligations to process Personal Data on the basis of a valid legal ground and to provide the mandatory information under Data Protection Law to the Data Subjects (as defined in Appendix 1). The Publisher further guarantees Targetspot against any claim or complaint made by a listener of its Streams or end-users of its radio station service in relation with the Targetspot Services and the processing of the Personal Data.
As the Publisher’s Processor, Targetspot shall only process Personal Data for the following purposes:
- processing required to provide the Targetspot Services in accordance with agreements existing between Targetspot and the Publishers;
- processing to comply with order reasonable instructions provided by Publishers that are consistent with the terms of the agreement existing between Targetspot and the Publisher. Targetspot acts on behalf of and on instructions of the Publishers in carrying out all Processor responsibilities. Targetspot shall process Personal Data in accordance with the requirements of the Data Protection Laws and Publishers will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws.
3. Collection and use of non-Personal Data by Targetspot
Targetspot also collects data in a form that does not, on its own, permit direct association with any specific individual. Targetspot may collect, use, transfer, and disclose non-Personal Data for any purpose.
When You visit the WebSite or interact with Targetspot Services, we may use automatic data collection technology that records non-personally identifiable information from Your browser or device. Targetspot also may collect or receive other non-personally identifiable information from the WebSite, from Targetspot Ads or from data aggregators, streaming services and other third parties. This information may include information about Your operating system, browser type and language, referring and exit pages and URLs, keywords, date and time, amount of time spent on particular pages, what sections of a website You visit, Your use of the WebSite and interactions with Targetspot Ads and the streaming services on which the Targetspot Ads appear, as well as other non-personally identifiable information associated with your IP address or device that is maintained by third party data aggregators (collectively, “Anonymous Information”).
Targetspot may collect and store details of how You use the TargetSpot Services. This data may be used to improve the relevancy of results provided by the TargetSpot Services.
4. Protection of Personal Data – security measures
Targetspot takes the security of Your Personal Data very seriously. Targetspot implements policy, rules and security measures targeting the protection of Personal Data.
Targetspot diligently updates, corrects and eliminate Personal Data that are inaccurate, incomplete or irrelevant.
Targetspot warrants that, for persons acting under its authority, access to Personal Data and the possibilities for processing these Personal Data are limited to what is needed by these persons for the exercise of their duties.
Targetspot informs persons acting under its authority of the provisions of European and Belgian Data Protection and Privacy laws, as well as any relevant requirements concerning protection of privacy in the processing of Personal Data.
Targetspot ascertains compliance of programmes used for automatic processing of Personal Data and monitors the regularity of their application.
Targetspot ascertains that any person who has access to Personal Data can only process such Personal Data on instructions of Targetspot, except in the case of an obligation imposed by or in virtue of the law, a decree or a court order.
Targetspot takes the necessary technical and organizational measures to safeguard against accidental or unauthorized destruction, accidental loss and modiﬁcation, access or any other unauthorized processing of Personal Data.
These measures ensure an adequate level of protection in view, on one hand, of the state of techniques in the ﬁeld and the costs entailed for the application of these measures and, on the other hand, of the nature of the Personal Data to be protected and the potential risks.
5. Transfer or personal data
The Publisher acknowledges that Targetspot may disclose personal data to its subcontractors for the above-mentioned purposes, both inside and outside the European Economic Area, namely its affiliates companies: Targetspot Inc. ; Targetspot France EURL ; Targetspot Espana SL; Targetspot GmbH. The Publisher acknowledges that this may involve transfers of personal data to countries that do not provide an adequate level of protection. Appropriate contractual measures will be taken to ensure the security of the Publisher’s personal data in compliance with the applicable privacy and personal data protection legislation. A copy of those appropriate contractual measures can be provided upon request. Targetspot will always choose a subcontractor that provides sufﬁcient guarantees with regard to technical and organizational security measures concerning data processing.
6. Duration of retention of Personal Data
The Personal Data collected will be erased six (6) months after You unsubscribed from the Targetspot Services for which You have registered on the WebSite or TargetSpot technical tools and services, unless TargetSpot has a legal obligation (notably auditing, reporting, payments and accounting obligations) to retain some Personal Data for a longer period of time.
Some anonymised data may be kept thereafter exclusively for statistical purposes.
7. Your rights
You can ask to Targetspot, by sending an e-mail to [email protected], whether Targetspot processes some of Your Personal Data.
You can also access and help Targetspot ensure Your contact information and preferences are accurate, complete and up to date by logging in Your Targetspot User account, if applicable, through the Passport Campaign Manager Interface.
You can (i) ask TargetSpot to provide You with a copy of Your Personal Data, (ii) request that Targetspot corrects Your Personal Data if it is inaccurate or, in some cases, delete Personal Data unless Targetspot has a legal obligation to retain some Personal Data.
You also have the right to ask for the restriction of the processing or to object to the processing of Personal Data relating to You as well as the right to data portability (as the case may be). When applicable, You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent made prior to such withdrawal.
You can lodge a complaint with a supervisory authority (in particular in the Member State of the European Union of Your usual place of residence, place of work or the place where the violation occurred) if You consider that the processing of Personal Data related to You infringes the data protection legislation.
Please note that access, modifications, corrections, deletion requests can be made usually through Your “Targetspot User Account” or at [email protected]. Targetspot can request in some cases proof of Your identity (copy of identity card or passport) to be sure to respect Your Personal Data and not to send them to a wrong person.
Newsletters, e-mails that You receive will always include the possibility to unsubscribe from the receipt of any message in the future.
Processing of personal data by Targetspot on behalf of Publishers
For the purposes of this Appendix, the following capitalized terms shall have the meaning specified below:
- “Data Subject” shall mean the identified or identifiable individual whose Personal Data is processed;
- “Data Protection Law” shall mean (i) any and all applicable laws implementing the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (as may be modified or replaced), including but not limited to the Belgian law of 8 December 1992 on the protection of individuals regarding the processing of personal data as amended, any directly applicable EU regulations (including but not limited to Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”) which is applicable as from 25 May 2018) as well as any delegated act in relation to the GDPR, Belgian laws and decrees executing the GDPR and (ii) any similar applicable legislations from countries outside of the European Union;
- “Personal Data” shall mean “personal data” as defined in the Data Protection Law which is subject of the Processing, relating to the listeners of the Publishers’s Streams or an end-user of its radio station-service and including any other information directly related to and necessary for the carrying out of the Purposes;
- “Processing” shall mean the “processing” as defined in the Data Protection Law of the Personal Data of each Data Subject by TargetSpot on behalf of the Publishers, which includes the processing of the Personal Data by TargetSpot and the transfer of the Personal Data to the Publishers;
- “Purposes” shall mean the limited, specific and legitimate purposes of the Processing, namely the performance of the services;
- “Subprocessor” shall mean any person (excluding an employee of TargetSpot) appointed by or on behalf of TargetSpot to process Personal Data on behalf of the Publishers.
For the avoidance of doubt, the Parties acknowledge that where Data Protection Law applies, the Publishers acts as the data controller and Targetspot as the data processor of Personal Data to be processed. Accordingly, the Publishers remains solely responsible for determining the means and the purposes of Targetspot’s Processing of Personal Data under existing agreements between Publishers and Targetspot.
3. Processing of Personal Data
TargetSpot agrees that any Processing of Personal Data by Targetspot in respect of which Targetspot acts as data processor on behalf of the Publishers shall be carried out in accordance with the Data Protection Law and the provisions of this Appendix.
Without prejudice to the independence of the Parties, the Personal Data shall only be processed in accordance with the instructions of the Publisher and solely for the Purposes, to the exclusion of any other purposes. The Publishers hereby generally instructs Targetspot to process Personal Data for the Purposes and to the extent necessary to provide the Services in compliance with Targetspot’s obligations under the existing agreements between Publishers and Targetspot.
Without prejudice to the independence of the Parties, Targetspot represents and warrants that Targetspot and any person acting under the authority of or on behalf of Targetspot and having access to the Personal Data shall only process the Personal Data in accordance with the instructions of the Publishers, except in case of a legal obligation, and in accordance with the Data Protection Law. To this end, Targetspot shall inform and train all persons acting under its authority and having access to the Personal Data about the provisions of Data Protection Law.
The following Personal Data are processed on behalf of Publishers by Targetspot when providing Targetspot Services:
Means of Collection
This is a randomly generated, unique, alphanumeric text string (identifier) set by placing a cookie
1. Reading existing TargetSpot cookie in the browser
2. Random generation upon placing of cookie – if none is detected
3. Received by the Data Controller upon ad call
Device IDs are not actively collected and are only used when proactively transferred by the Data
The IP Address can be collected by TargetSpot in 2 ways:
1. When the call to TargetSpot is made by the Controller in the browser. TargetSpot will use the
2. When the call to TargetSpot is not made in the browser, the Data Controller proactively transfers
Means of Processing
The cookie_id is used to identify campaigns eligible for delivery
The Device ID is used to identify campaigns eligible for delivery
The IP Address is used to identify campaigns eligible for delivery
The IP Address is cross checked with databases to determine Geographic Location and ‘Real Person’
Means of Sharing
The cookie_id can not be accessed by other parties. It can be transmitted to Sub-processors in 3
1. Upon request for ad delivery; if no buyer_id (the cookie_id of the DSP’s) is available, the
2. Forwarding to Sub-processor by means of Macro in VAST call
3. In the synchronization call to the Sub-processors (DSP’s)
The Device ID can be transmitted to Sub-processors in 2 ways:
2. Forwarding to subprocessors by means of Macro in VAST call
The IP address can be transmitted to Sub-processors in 3 ways:
1. Upon request for ad delivery, by the DSP, the IP address will be transmitted
2. Forwarding to Sub-processors by means of Macro in VAST call
3. Request send to Brand verification tools with the sole aim of fraud detection
Means of Storing
The cookie_id is stored on servers separately from all other non-PII data points.
The Device ID is stored hashed and salted onto our data servers and is irreversibly anonymized
The IP Address is stored hashed and salted and is irreversibly anonymized
Place of Processing
Targetspot owned Paris, Data center
Targetspot owned Paris, Data center
Targetspot owned Paris, Data center
Place of Storage
Targetspot owned Paris, Data center
Targetspot owned Paris, Data center
Targetspot owned Paris, Data center
Retention Period of Storage
The purposes of the cookie_id is:
1. In order to prevent over exposure of a particular campaign to the Data Subject, Targetspot and the
2. Allows for matching of the cookie_id to enable the Sub-processors’ purposes of processing,
The purpose of the Device ID is:
In order to prevent over exposure of a particular campaign to the Data Subject, TargetSpot and the
The purpose of the IP Address is:
1. In order to delivery a campaign coming from the relevant country and in the relevant language to
2. In order to protect the advertisers for campaign delivery on ‘non human’ traffic, Targetspot uses
3. Targetspot uses the IP Address periodically to conduct technical troubleshooting
Legal Basis – Art 6 of GDPR
The cookie_id can be legitimately processed by:
-> Active Opt in (Art. 6(A))
-> Legitimate Interest (Art. 6(F))
The Device ID can be legitimately processed by:
-> Active Opt in (Art. 6(A))
-> Legitimate Interest (Art. 6(F))
The IP Address will be processed on:
-> Legitimate Interest (Art. 6(F))
4. Subprocessing – Onward transfer of Personal Data
Targetspot shall not engage any Subprocessor without prior general or specific written authorisation of the Publisher. Where Targetspot engages a Subprocessor for carrying out specific processing activities on behalf of the Publisher, the same data protection obligations as set out in this Appendix 1 shall be imposed on that Subprocessor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where such Subprocessor fails to fulfil its obligations under Data Protection Law, Targetspot shall remain fully liable to the Publisher for the performance of such Subprocessor’s obligations.
The Publishers hereby specifically authorizes Targetspot to engage the following Subprocessors and disclose Personal Data to its sub-contractors for the above-mentioned purposes, both inside and outside the European Economic Area, namely:
Supply Side Platforms
Demand Side Platforms
- The Trade Desk
- Data Management Platforms
- Dax (UK)
- RMS (DE)
- Mediamond (IT)
- TMX (NL)
Targetspot may also transmit Personal Data on the request of a judicial or administrative authority by virtue of applicable law.
The Publishers hereby further generally authorizes Targetspot to engage any other Subprocessor provided that TargetSpot informs the Publishers of any intended changes concerning the addition or replacement of Subprocessors. The Publishers will have the possibility to object to such addition or replacement on the basis of objective grounds.
With respect to each Subprocessor, Targetspot shall:
- carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by this Appendix;
- ensure that the EU Standard Contractual Clauses regarding the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection (hereinafter the “EU Standard Contractual Clauses”) are at all relevant times signed between the Publisher and the Subprocessor if the engagement of such Subprocessor involves a transfer to a country located outside of the European Economic Area which does not ensure an adequate level of data protection and where no appropriate safeguard exists (hereinafter the “Restricted Transfer”). For the purposes of this obligation, the Publishers hereby grants to TargetSpot a mandate (proxy) to enter into EU Standard Contractual Clauses in the name and on behalf of the Publishers with the Subprocessors; and
- provide to the Publishers for review such copies of the agreements with Subprocessors as the Publishers may request from time to time.
Targetspot shall not communicate, disclose or transfer, either free of charge or in return for payment, the Personal Data to any other legal person or individual, except pursuant to the prior written instructions of the Publishers and except where such communication, disclosure or transfer: (i) is necessary to perform the TargetSpot Services or for the Purposes; or (ii) is required by any applicable law, regulation, or governmental authority in which case TargetSpot will, wherever possible, notify the Publishers promptly in writing prior to complying with any such request for communication, disclosure or transfer and shall comply with all reasonable directions of the Publishers with respect to such communication, disclosure or transfer.
TargetSpot shall ensure – having regard to the state of technological development and the cost of implementing any such measures as well as the sensitive nature of the Personal Data to be processed – that appropriate technical and organizational measures are taken against accidental or unauthorized destruction, accidental loss, as well as against alteration of, access to and any other unauthorized processing of the Personal Data. Without limitation to the foregoing, TargetSpot shall, in particular, take adequate technical and organizational measures to:
- ensure that access to the Personal Data is only granted to persons acting under its authority and strictly on a need-to-know basis;
- deny unauthorized persons access to data processing systems within which the Personal Data is processed (access control);
- prevent the use of data processing systems by unauthorized persons (access control);
- ensure that persons authorized to use a data processing system are only able to access the Personal Data to which their access privileges apply (access control);
- ensure that the Personal Data cannot be read, copied, modified or removed without the authorization of TargetSpot during electronic transfer or during transport or storage on data media and that it is possible to check and determine to whom communication of the Personal Data is made through data transfer facilities (checking the identity of any person who forwards the Personal Data and any person to whom the Personal Data is forwarded);
- ensure that the Personal Data is only processed in accordance with the Publisher’s instructions (instruction checking);
- ensure the reliability of any employee, agent or contractor of the Publisher or any Subprocessor and that they are subject to confidentiality obligations (reliability and confidentiality);
- ensure that the Personal Data is protected against accidental destruction or loss (availability checking);
- ensure that pseudonymisation and encryption of Personal Data are used where possible; and
- ensure that Personal Data processed for other purposes can be processed separately (separation checking).
Without prejudice to Clause 7, Targetspot agrees to inform the Publisher in writing without delay and, in any case, within three (3) business days of any accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to the Personal Data.
TargetSpot shall provide in a prompt manner such co-operation as is reasonably necessary to enable the Publisher to ensure compliance with the Data Protection Law, including but not limited to providing co-operation where the Publisher must respond to requests for exercising the Data Subject’s rights granted by Data Protection Law. In particular, TargetSpot shall:
- promptly notify the Publisher if TargetSpot or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
- ensure that TargetSpot and/or any Subprocessor only responds to such request upon express written instructions of the Publisher or as required by applicable laws to which TargetSpot and/or the Subprocessor is subject, in which case TargetSpot shall to the extent permitted by applicable laws inform the Publisher of that legal requirement before TargetSpot and/or the Subprocessor responds to the Data Subject’s request.
Targetspot shall as soon as reasonably practicable and in any event in a manner that conforms to any time-scales set out in the Data Protection Law, provide the Publisher with a copy of the Personal Data that it processes, and/or correct or delete any inaccuracies in such Personal Data, as directed by the Publisher
7. Personal Data breach
In case of any Personal Data breach (defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”), Targetspot shall, without delay, notify the Publisher of such breach. The notification must, at least, describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, describe the likely consequences of the Personal Data breach, describe the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8. Audit and inspection
Targetspot shall, at the request of the Publisher, submit its equipment used for the Processing of Personal Data (if any) for audit of the Processing performed by Targetspot. Such audit shall be performed by the Publisher or a third party (selected by the Publisher and reasonably acceptable to Targetspot) to act on its behalf, at the Publisher’s expense, at Targetspot’s offices or at another mutually agreed location during normal business hours upon fifteen (15) days prior written notice and shall make reasonable endeavors to avoid causing any damage, injury, or disruption in TargetSpot premises, equipment, personnel and business while its personal are on those premises in the course of such an audit or inspection. Audit reports shall only include detail sufficient to verify TargetSpot’s compliance with its obligations under this Appendix.
For the performance of the audit or inspection, the Publisher will give a list of authorized person(s) (“Authorized Person”). Targetspot undertakes to give access to its premises to the Authorized Person provided that such Authorized Person:
- produces reasonable evidence of identity;
- works during normal business hours of TargetSpot unless the audit needs to be conducted on an emergency basis.
9. Data Protection Impact Assessment
TargetSpot shall assist the Publisher with any relevant data protection impact assessment and prior consultations with supervisory authorities or other competent data privacy authorities that would be required under Articles 35 or 36 of the GDPR, subject to terms and conditions and fees to be agreed upon on a case-by-case basis.
10. Deletion or return of Personal Data
Targetspot shall ensure that any copies of Personal Data in the possession of Targetspot are promptly, and in any event within one month of the date of cessation of any services, returned to the Publishers or destroyed (at the Publisher’s option) upon the Publishers’s notice and/or when they are no longer required for the performance of Targetspot’s obligations under the Monetization Program, whichever occurs first, and TargetSpot shall delete existing copies unless Data Protection Law requires storage of the Personal Data.
12. Modifications of the applicable Data Protection Law
Targetspot may, by providing at least thirty (30) calendar days’ written notice to the Publishers, make variations to or replace the template EU Standard Contractual Clauses and enter into amended or new EU Standard Contractual Clauses as per Clause 4, subsection (ii), where such variations or replacements are required as a result of any change in, or decision of a competent authority under, the Data Protection Law, to allow the Restricted Transfers referred to in Clause 4, subsection (ii), to be made (or continue to be made) in compliance with the Data Protection Law.