PRIVACY NOTICE FOR THE GLOMEX MEDIA EXCHANGE SERVICE (MES)

The privacy notice informs about the data processing during the usage of the glomex Media Exchange Service (“MES”). This includes the user’s data processing of content owners (“Content Owners”) and publishers (“Publishers”), who have concluded to the terms and conditions (“T&Cs”) with glomex GmbH or publisher who have concluded a Partner-Involvement with glomex GmbH (“Partner Publishers”), and certified glomex-partners (“Partners”) (together “MES Users”).

1. Data Controller and Contact Person

1.1. Data Controller

Data Controller within the meaning of the General Data Protection Regulation (GDPR) for the processing activities described below is glomex GmbH („glomex“), Dieselstrasse 1, 85774 Unterföhring, Germany.

1.2. Contact Point for Data Protection Enquiries

MES Users can contact the glomex data protection team at any time with data protection enquiries by sending a message to the postal address provided above or by email to privacy@glomex.com. At the request of the MES Users, confidential information can be forwarded to the data protection officer of glomex and answered by this data protection officer. In such cases, the words “Attn: Data Protection Officer” should be added to postal enquiries or, in the case of enquiries by e-mail, direct contact with the data protection officer should be requested.

2. Data Processing in the course of the Business Relationship

As part of the T&Cs with Publishers and Content Owners as well as the business relationship with the Partner Publishers and Partners, glomex also processes personal data of the MES Users for the following purposes:

2.1. Customer Management

In order to manage the business contacts, glomex processes information about the Content Owners, Publishers, Partner Publishers and Partners (in particular company name, address, branch offices, finance data, if applicable, authorized representatives and their contact data, each „Business Data“) as well as information about the respective MES User (in particular name, position, business contact information like e-mail address and phone number, each „User Data“).glomex uses this data in order to be able to reach out to the right contact person when contacting the MES Users to process their requests and orders properly and to maintain the business relationship. In case of conducting customer management of Partner Publishers, also the Partner undertakes the customer management, and the Partner Publishers’ data will be shared with and processed by Partner.The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is to provide the MES for MES Users and to conduct a functioning customer management.

2.2. Order Management and Billing

As part of order processing and billing, glomex collects information on offers, orders and invoice items as well as payment details of Content Owners, Publishers and Partners. MES User Data may also be processed in this context. In case of conducting order management and billing for Partner Publishers, the Partner undertakes the order management and billing, and the Partner Publisher’s data will be shared with and processed by Partner.The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is to fulfill the order management and billing.

2.3. Controlling and Reporting

glomex also processes information of MES Users on orders and invoice items for internal cost and performance accounting, controlling and internal reporting, which glomex use for corporate management and forecasting. In case of conducting controlling and reporting for Partner Publishers, the Partner undertakes the controlling and reporting, and the Partner Publisher’s data will be shared with and processed by Partner.The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is to perform the controlling and reporting for the business relationship.

2.4. Service Information

As an integral part of the MES related to the glomex Player, glomex send information by e-mail to MES Users, which contain e. g. T&Cs updates, Global Vendor List (“GVL”) updates, ads.txt updates and information about the takedown of a video.The legal basis is Art. 6 para. 1 lit. f GDPR based on the legitimate interest to provide the services according to the glomex T&Cs.

2.5 Optimization and troubleshooting

This website uses the Google Analytics 4 service (“Google Analytics”), which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA for all other persons.

Google Analytics uses JavaScript and pixels to read information on the users’ terminal devices and cookies to store information on Users’ terminal devices. This is used to analyse the usage behaviour of the users and to improve this website. glomex will process the information obtained to evaluate the use of the website and to compile reports on website activities for the website operators. The data generated in this context may be transferred by Google to a server in the USA for evaluation and stored there.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for the automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions insofar as not enough data is available to optimise the evaluation and reports. Users can find more information on this at: https://support.google.com/analytics/answer/10710245. The data analyses are automated with the help of artificial intelligence or on the basis of specific, individually defined criteria. The users can find out more about this at: https://support.google.com/analytics/answer/9443595.

glomex has made the following data protection settings for Google Analytics:

– IP anonymisation (shortening of the IP address before analysis);

– Automatic deletion of old visit logs by limiting the storage period to 2 months;

– No resetting of the retention period in the event of new activity;

– Deactivation of the collection of exact location and position data;

– Disable collection of accurate device data;

– Disabled advertising functionality (including audience remarketing through GA Audience);

– Disabled remarketing;

– Disabled cross-device and cross-page tracking (Google Signals);

– Disabled data sharing with other Google products and services; Benchmarking, technical support, account manager.

The following data is processed by Google Analytics:

– IP address;

– Device ID;

– Referrer URL (previously visited page);

– Pages viewed (date, time, URL, title, length of stay);

– Downloaded files;

– Clicked links to other websites;

– Achievement of specific goals (conversions), if applicable;

– Technical information: Operating system; Browser type, version and language; Device type, brand, model and resolution;

– Approximate location (country and city, if applicable, based on anonymised IP address).

– Google Analytics sets the following cookies for the specified purpose with the respective storage period;

– “ga” (2 years), “gid” (24 hours): Recognition and differentiation of the uUsers by a device ID (client ID for browsers and app instance ID for apps);

– “ga_{GA4-ID}” (2 years): Retention of current session information.

The users can find more information about Google Analytics cookies at: https://support.google.com/analytics/answer/11397207?hl=de.

The legal basis for this data processing is the consent of Users in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. glomex has concluded an order processing agreement with Google Ireland Limited for the use of Google Analytics. Personal data can be transferred from Google Ireland Limited to Google LLC in the USA. Google LLC has joined the Data Privacy Framework (EU-US, Swiss-US, UK-US), therefore the transfer of data to the USA is justified on the basis of an adequacy decision. Furthermore, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 para. 2 lit. c GDPR.

Users can find more information in the privacy policy of Google at: https://support.google.com/analytics/answer/6004245.

glomex has configured Smartlook in a privacy-friendly manner, which means that no cookies are stored on the terminal device, form fields are not recorded, the IP address is not stored and it is only possible to recognize the same MES user for the duration of the session.

The legal basis is Art. 6 para. 1 lit. f GDPR on the basis of the legitimate interest in optimizing the MES and correcting errors. MES users can object to the use of Smartlook at any time and deactivate it at the following link: https://www.smartlook.com/opt-out/.

The transfer of personal data to Cisco Systems, Inc. in the USA takes place due to the certification of Cisco Systems, Inc. for the EU-US Data Privacy Framework on the basis of an adequacy decision of the European Commission.

3. Direct Marketing

3.1. Product Information

glomex also send product related information by e-mail to MES Users, which contain e. g. editorial news, video recommendations and new features. To contact MES Users, glomex processes the MES User Data.

The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 of the German Act Against Unfair Competition (German: Gesetz gegen den unlauteren Wettbewerb, or UWG) for e-mail based on the legitimate interest to promote glomex products to MES Users. MES Users can object to the use of their User Data for direct marketing purposes at any time by sending glomex an e-mail or postal message or by using an opt-out link directly in the e-mail pursuant to Art. 21 para. 3 GDPR (see contact details under „Data Controller“).

3.2. Newsletter

MES Users may also subscribe to the newsletter, which contains e. g. invitations to marketing events and panels. glomex will only send newsletter by e-mail if MES Users confirm their email address during the registration process or if a user profile has been created by glomex at the request of the MES Users. This information is necessary to send newsletter to MES Users and to be able to prove their subscription.

The legal basis for data processing is the consent of MES Users pursuant to Art. 6 para. 1 lit. a GDPR. MES Users may withdraw their consent at any time with effect for the future by unsubscribing from newsletter. A corresponding unsubscribe link can be found in each newsletter. MES Users can also send a message to the contact details provided above in section 1 or in the newsletter (e.g., by e-mail or postal message) to unsubscribe.

3.3. Usage measurement

glomex want to share relevant content with MES Users and better understand what they are interested in. For this reason, glomex uses conventional technologies in the newsletter and product information that can allow to measure the interactions with e-mails (e.g., opening of the e-mails, links clicked on). glomex uses this data in pseudonymous form for aggregated statistical evaluations and for further optimizing and developing the content and customer communications. This is performed with the help of small graphics that are embedded in e-mails (so-called pixel) and establish a connection to the server of the images when the e-mail is opened. Furthermore, glomex uses links where it first registers MES Users’ clicks before redirecting MES Users to the desired target page.

The legal basis, depending on the kind of e-mail, is the consent of MES Users in accordance with Art. 6 para. 1 lit. a GDPR or the above-mentioned legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. MES Users may deactivate the usage measurement at any time with effect for the future by unsubscribing from newsletter, using an opt-out link directly in the e-mail or by sending glomex an e-mail or postal message (see contact details under section 1.1 „Data Controller“). MES Users may also prevent the measurement of the e-mail openings by deactivating graphics or the output of HTML content in their e-mail program by default. 

4. Data Processing on glomex Website and the glomex player

For the data processing on the glomex website (www.glomex.com), including the usage of tools that access or store information on the terminal device, please see the privacy notice for the glomex-website: https://www.glomex.com/en/privacy-policy/privacy-notice-for-the-glomex-website/. Furthermore, glomex refers for the use of the glomex player within the context of the MES to the privacy notice of the glomex player: https://www.glomex.com/en/privacy-policy/privacy-notice-for-the-glomex-player/.

5. Categories of Recipients

The Business Data as well as the User Data will generally be processed by glomex. In case of Partner Publishers, the Partner Publisher’s data will also be shared with and processed by Partner.Exceptionally, data may be passed on to third parties in the following cases:

a. MES Users have given their explicit consent– Art. 6 para. 1 lit. a GDPR;

b. if it is required or stipulated by law, in particular if this is necessary for legal prosecution or enforcement due to official inquiries, court orders and legal proceedings (e.g., as part of a tax audit by the tax authorities or as part of money laundering prevention) – Art. 6 para. 1 lit. c GDPR;

c. if it is necessary to protect MES Users’ or glomex’ interests for the assertion, exercise or defense of legal claims and there is no reason to assume that MES Users have an overriding interest worthy of protection in not having the data disclosed – Art. 6 para. 1 lit. f GDPR.

d. or if it is necessary to fulfil the contractual obligations of glomex or to perform pre-contractual measures (e.g. to reimburse the business partners for their services via glomex partners) – Art. 6 para. 1 lit. b GDPR.

Such disclosure also occurs when glomex involve external service providers in their internal processes. This may include, in particular, data centers, software providers, IT service providers that maintain glomex’ systems, agencies, market research companies, and group companies. In these cases, the service provider is bound by instructions and receives data only to the extent and for the period necessary for the provision of the services. In addition, glomex may employ external consultants and auditors. Agreements are always concluded with them to ensure the confidentiality of all information.

6. Third Country Transfer

glomex may transfer personal data outside of the European Economic Area (“EEA”) (so-called third countries), especially by using providers which are located in third countries or process the data there. Third countries do not have a level of data protection which corresponds to that of the European Union (“EU”). Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, glomex have taken appropriate safeguards to ensure an adequate level of protection for the transfer in third countries. These include, among others, the Standard Contractual Clauses of the European Union (“SCC”) or Binding Corporate Rules (“BCR”).

Where this is not possible, glomex base the data transfer on exceptions of Art. 49 GDPR, in particular MES Users’ explicit consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures. Where a third country transfer is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of MES Users’ data subject rights cannot be guaranteed. In case of obtaining MES Users’ consent via the consent banner, they will be informed about this as well.

7. Storage Period

glomex store personal data only for as long as necessary to fulfill the purposes for which glomex collected the data (e.g. the data will be stored for the duration of this business relationship). Thereafter, glomex delete the data immediately, unless glomex still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law, due to statutory retention obligations or there is another legal basis under data protection law for the continued processing of the data in the specific individual case.

For evidentiary purposes, glomex is committed to retain contractual data in particular for three years from the end of the year in which the business relationship ends. Any claims become statute-barred at this point at the earliest in accordance with the statutory limitation period.

Even after this, the Business Data or User Data partly will be stored for accounting reasons (e.g. at least for the duration of the statutory accounting obligations). glomex is obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act (Geldwäschegesetz) and the German Securities Trading Act (Wertpapierhandelsgesetz). The periods specified there for the retention of documents are two to ten years.

8. Data Subjects Rights

  8.1 Overview and Exercise of Data Subject Rights

MES Users (“Data Subjects”) are entitled to the data subjects rights at any time if the respective legal requirements are met

a. Right to withdraw the consent (Art. 7 para. 3 GDPR)

More information on withdrawal is available to Data Subjects under section 8.2.

b. Right to object (Art. 21 GDPR)

More information on objection is available to Data Subjects under section 8.3

c. Right of access by the Data Subject (Art. 15 GDPR)

Data Subjects have the right to request a copy of any personal data which glomex hold about them.

d. Right to rectification (Art. 16 GDPR)

Data Subjects have the right to rectify their personal data, if they consider that the information glomex is holding is inaccurate.

e. Right to erasure (Art. 17 GDPR)

Data Subjects have the right to ask glomex to delete their personal data, if they consider that glomex do not have the right to hold it.

f.Right to restriction (Art. 18 GDPR)

Data Subjects have the right to restrict processing of their personal data.

g. Right to data portability (Art. 20 GDPR)

Data Subjects have the right to receive their personal data which glomex hold about them and to transmit those data to another controller.

To exercise the Data Subjects rights, Data Subjects can contact glomex at any time using the contact details above in section 1. This also applies if Data Subjects wish to receive copies of the legal safeguards demonstrating an adequate level of data protection in case of data transfer to third countries. Provided that the respective legal requirements are met, glomex will comply with the data subject request.

The data subject requests and the responses of glomex to them will be stored for the documentation purposes for a period of up to three years and, in individual cases, for longer if this is necessary for asserting, exercising or defending legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on the interest of glomex in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling the accountability obligations under Art. 5 para. 2 GDPR.

8.2 Right to withdraw the consent (Art. 7 para. 3 GDPR)

Data Subjects have the right to withdraw their consent for the processing of their personal data (to the extent such processing is based on previously obtained consent) at any time. This has the consequence that glomex no longer continue the data processing based on this consent with the future effect. The withdrawal of consent does not affect the lawfulness of the processing based on the consent until the withdrawal. If Data Subjects wish to exercise their right of withdrawal, an informal message using the contact details above in section 1 will suffice.

8.3 Right to object (Art. 21 GDPR)

Data Subjects have the right to object to the processing of their data, if glomex process Data Subjects data on the basis of legitimate interests, at any time on grounds relating to their particular situation. If it is a matter of objecting to the processing of data for direct marketing purposes, Data Subjects have a general right of objection, which will also be implemented by glomex without giving reasons. If Data Subjects wish to exercise their right of withdrawal, an informal message using the contact details above in section 1 will suffice.

8.4 Right to lodge (Art. 77 GDPR)

Data Subjects have the right to lodge a complaint with any data protection authority in the EU, for example, a supervisory authority in the member state of their residence, workplace or the location of the alleged violation. For glomex, the competent supervisory authority is the Data Protection Authority of Bavaria for the Private Sector / Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany. E-mail: poststelle@lda.bayern.de.

9. Note on data protection law outside the European Economic Area

This privacy notice is addressed to users from the European Economic Area and explicitly from Germany, which is why the aforementioned information, including the legal basis and data subject rights, comply with the requirements of the GDPR, the BDSG, the TTDSG and other EU and German laws.

For MES Users outside the European Union, other legal bases and data subject rights may be relevant based on the law applicable to them. However, where necessary, we always obtain the consent of users to process their data. Certain conditions and exceptions apply to the exercise of MES Users’ rights, depending on the law applicable to them. Depending on the legal situation, glomex may or must therefore refuse certain requests.

As a company based in Germany, when this website is accessed, user data is transferred to the European Economic Area, including Germany. If glomex transfers data to other countries, this will only take place if an adequate level of data protection exists for these countries, security measures have been taken or exemptions exist. Within the framework of this data protection declaration, it is stated to which countries glomex transfer data and to what extent adequacy decisions have been made for transfers to the USA, for example (such as EU-US, UK-US or Swiss-US Data Privacy Framework). MES Users can obtain information at any time about the recipients of their data and the measures taken to ensure an adequate level of data protection. To exercise their rights, MES Users may contact glomex at any time using the contact details provided in section 1.

Information on the tools used on this website, including information stored on the terminal device such as cookies and measures to block them via browser settings, is provided to users in this privacy notice and in the consent banner used.

10. Changes to this Privacy Notice

As glomex’ services evolve, changes to this privacy notice may become necessary. This website always contains the current version of the privacy notice.

Version: 1.1 | Last amended: December 25